Data Loss Prevention policy reference

Microsoft Purview Data Loss Prevention (DLP) policies have many components to configure. To create an effective policy, you need to understand what the purpose of each component is and how its configuration alters the behavior of the policy. This article provides a detailed anatomy of a DLP policy.

Before you begin

If you're new to Microsoft Purview DLP, here's a list of the core articles you'll need as you implement DLP:

1. Administrative units
2. Learn about Microsoft Purview Data Loss Prevention - the article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP
3. Plan for data loss prevention (DLP) - by working through this article you will:
   1. Identify stakeholders
   2. Describe the categories of sensitive information to protect
   3. Set goals and strategy
4. Data Loss Prevention policy reference - this article that you're reading now introduces all the components of a DLP policy and how each one influences the behavior of a policy
5. Design a DLP policy - this article walks you through creating a policy intent statement and mapping it to a specific policy configuration.
6. Create and Deploy data loss prevention policies - This article presents some common policy intent scenarios that you'll map to configuration options. It also walks you through configuring those options.

Also, you need to be aware of the following constraints of the platform:

• Maximum number of MIP + MIG policies in a tenant: 10,000
• Maximum size of a DLP policy (100 KB)
• Maximum number of DLP rules:
  • In a policy: Limited by the size of the policy
  • In a tenant: 600
• Maximum size of an individual DLP rule: 100 KB (102,400 characters)
• GIR evidence limit: 100, with each SIT evidence, in proportion of occurrence
• Maximum size of text that can be extracted from a file for scanning: 2 MB
• Regex size limit for all matches predicted: 20 KB
• Policy name length limit: 64 characters
• Policy rule length limit: 64 characters
• Comment length limit: 1024 characters
• Description length limit: 1024 characters

Policy templates

DLP policy templates are sorted into four categories:

• policies that can detect and protect types of Financial information.
• policies that can detect and protect types of Medical and health information.
• policies that can detect and protect types of Privacy information.
• A Custom policy template that you can use to build your own policy if none of the others meet your organization's needs.

The following table lists all policy templates and the sensitive information types (SIT) that they cover.

Category	Template	SIT
Financial	Australia Financial Data	- SWIFT code - Australia tax file number - Australia bank account number - Credit card number
Financial	Canada Financial data	- Credit card number - Canada bank account number
Financial	France Financial data	- Credit card number - EU debit card number
Financial	Germany Financial Data	- Credit card number - EU debit card number
Financial	Israel Financial Data	- Israel bank account number - SWIFT code - Credit card number
Financial	Japan Financial Data	- Japan bank account number - Credit card number
Financial	PCI Data Security Standard (PCI DSS)	- Credit card number
Financial	Saudi Arabia Anti-Cyber Crime Law	- SWIFT code - International banking account number (IBAN)
Financial	Saudi Arabia Financial Data	- Credit card number - SWIFT code - International banking account number (IBAN)
Financial	UK Financial Data	- Credit card number - EU debit card number - SWIFT code
Financial	US Financial Data	- Credit card number - U.S. bank account number - ABA Routing Number
Financial	U.S. Federal Trade Commission (FTC) Consumer Rules	- Credit card number - U.S. bank account number - ABA Routing Number
Financial	U.S. Gramm-Leach-Bliley Act (GLBA) Enhanced	- Credit card number - U.S. bank account number - U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN) - U.S./U.K. passport number -U.S. driver's license number - All Full Names - U.S. Physical Addresses
Financial	U.S. Gramm-Leach-Bliley Act (GLBA)	- Credit card number - U.S. bank account number - U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN)
Medical and health	Australia Health Records Act (HRIP Act) Enhanced	- Australia tax file number - Australia medical account number - All Full Names - All Medical Terms And Conditions - Australia Physical Addresses
Medical and health	Australia Health Records Act (HRIP Act)	- Australia tax file number - Australia medical account number
Medical and health	Canada Health Information Act (HIA)	- Canada passport number - Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Medical and health	Canada Personal Health Information Act (PHIA) Manitoba	- Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Medical and health	Canada Personal Health Act (PHIPA) Ontario	- Canada passport number - Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Medical and health	U.K. Access to Medical Reports Act	- U.K. national health service number - U.K. national insurance number (NINO)
Medical and health	U.S. Health Insurance Act (HIPAA) Enhanced	- International classification of diseases (ICD-9-CM) - International classification of diseases (ICD-10-CM) - All Full Names - All Medical Terms And Conditions - U.S. Physical Addresses
Medical and health	U.S. Health Insurance Act (HIPAA)	- International classification of diseases (ICD-9-CM) - International classification of diseases (ICD-10-CM)
Privacy	Australia Privacy Act Enhanced	- Australia driver's license number - Australia passport number - All Full Names - All Medical Terms And Conditions - Australia Physical Addresses
Privacy	Australia Privacy Act	- Australia drivers license number - Australia passport number
Privacy	Australia Personally Identifiable Information (PII) Data	- Australia tax file number - Australia driver's license number
Privacy	Canada Personally Identifiable Information (PII) Data	- Canada driver's license number - Canada bank account number - Canada passport number - Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Privacy	Canada Personal Information Protection Act (PIPA)	- Canada passport number - Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Privacy	Canada Personal Information Protection Act (PIPEDA)	- Canada driver's license number - Canada bank account number - Canada passport number - Canada social insurance number - Canada health service number - Canada Personal Health Identification Number
Privacy	France Data Protection Act	- France national id card (CNI) - France social security number (INSEE)
Privacy	France Personally Identifiable Information (PII) Data	- France social security number (INSEE) - France driver's license number - France passport number - France national id card (CNI)
Privacy	General Data Protection Regulation (GDPR) Enhanced	- Austria Physical Addresses - Belgium Physical Addresses - Bulgaria Physical Addresses - Croatia Physical Addresses - Cyprus Physical Addresses - Czech Republic Physical Addresses - Denmark Physical Addresses - Estonia Physical Addresses - Finland Physical Addresses - France Physical Addresses - Germany Physical Addresses - Greece Physical Addresses - Hungary Physical Addresses - Ireland Physical Addresses - Italy Physical Addresses - Latvia Physical Addresses - Lithuania Physical Addresses - Luxembourg Physical Addresses - Malta Physical Addresses - Netherlands Physical Addresses - Poland Physical Addresses - Portuguese Physical Addresses - Romania Physical Addresses - Slovakia Physical Addresses - Slovenia Physical Addresses - Spain Physical Addresses - Sweden Physical Addresses - Austria Social Security Number - France Social Security Number (INSEE) - Greece Social Security Number (AMKA) - Hungarian Social Security Number (TAJ) - Spain Social Security Number (SSN) - Austria Identity Card - Cyprus Identity Card - Germany Identity Card Number - Malta Identity Card Number - France National ID Card (CNI) - Greece National ID Card - Finland National ID - Poland National ID (PESEL) - Sweden National ID - Croatia Personal Identification (OIB) Number - Czech Personal Identity Number - Denmark Personal Identification Number - Estonia Personal Identification Code - Hungary Personal Identification Number - Luxemburg National Identification Number natural persons - Luxemburg National Identification Number (Non-natural persons) - Italy Fiscal Code - Latvia Personal Code - Lithuania Personal Code - Romania Personal Numerical Code (CNP) - Netherlands Citizen's Service (BSN) Number - Ireland Personal Public Service (PPS) Number - Bulgaria Uniform Civil Number - Belgium National Number - Spain DNI - Slovenia Unique Master Citizen Number - Slovakia Personal Number - Portugal Citizen Card Number - Malta Tax ID Number - Austria Tax Identification Number - Cyprus Tax Identification Number -France Tax Identification Number (numéro SPI.) - Germany Tax Identification Number - Greek Tax identification Number - Hungary Tax identification Number - Netherlands Tax Identification Number - Poland Tax Identification Number - Portugal Tax Identification Number - Slovenia Tax Identification Number - Spain Tax Identification Number - Sweden Tax Identification Number - Austria Driver's License - Belgium Driver's License Number - Bulgaria Driver's License Number - Croatia Driver's License Number - Cyprus Driver's License Number - Czech Driver's License Number - Denmark Driver's License Number - Estonia Driver's License Number - Finland Driver's License Number - France Driver's License Number - German Driver's License Number - Greece Driver's License Number - Hungary Driver's License Number - Ireland Driver's License Number - Italy Driver's License Number - Latvia Driver's License Number - Lithuania Driver's License Number - Luxemburg Driver's License Number - Malta Driver's License Number - Netherlands Driver's License Number - Poland Driver's License Number - Portugal Driver's License Number - Romania Driver's License Number - Slovakia Driver's License Number - Slovenia Driver's License Number - Spain Driver's License Number - Sweden Driver's License Number - Austria Passport Number - Belgium Passport Number - Bulgaria Passport Number - Croatia Passport Number - Cyprus Passport Number - Czech Republic Passport Number - Denmark Passport Number - Estonia Passport Number - Finland Passport Number - France Passport Number - German Passport Number - Greece Passport Number - Hungary Passport Number - Ireland Passport Number - Italy Passport Number - Latvia Passport Number - Lithuania Passport Number - Luxemburg Passport Number - Malta Passport Number - Netherlands Passport Number - Poland Passport - Portugal Passport Number - Romania Passport Number - Slovakia Passport Number - Slovenia Passport Number - Spain Passport Number - Sweden Passport Number - EU Debit Card Number - All Full Names
Privacy	General Data Protection Regulation (GDPR)	- EU debit card number - EU driver's license number - EU national identification number - EU passport number - EU social security number or equivalent identification - EU Tax identification number
Privacy	Germany Personally Identifiable Information (PII) Data	- Germany driver's license number - Germany passport number
Privacy	Israel Personally Identifiable Information (PII) Data	- Israel national identification number
Privacy	Israel Protection of Privacy	- Israel national identification number - Israel bank account number
Privacy	Japan Personally Identifiable Information (PII) Data enhanced	- Japan Social Insurance Number (SIN) - Japan My Number - Personal - Japan passport number - Japan driver's license number - All Full Names - Japan Physical Addresses
Privacy	Japan Personally Identifiable Information (PII) Data	- Japan resident registration number - Japan Social Insurance Number (SIN)
Privacy	Japan Protection of Personal Information Enhanced	- Japan Social Insurance Number (SIN) - Japan My Number - Personal - Japan passport number - Japan driver's license number - All Full Names - Japan Physical Addresses
Privacy	Japan Protection of Personal Information	- Japan resident registration number - Japan Social Insurance Number (SIN)
Privacy	Saudi Arabia Personally Identifiable (PII) Data	- Saudi Arabia National ID
Privacy	U.K. Data Protection Act	- U.K. national insurance number (NINO) - U.S./U.K. passport number - SWIFT code
Privacy	U.K. Privacy and Electronic Communications Regulations	- SWIFT code
Privacy	U.K. Personally Identifiable Information (PII) Data	- U.K. national insurance number (NINO) - U.S./U.K. passport number
Privacy	U.K. Personal Information Online Code of Practice (PIOCP)	- U.K. national insurance number (NINO) - U.K. national health service number - SWIFT code
Privacy	U.S Patriot Act Enhanced	- Credit card number - U.S. bank account number - U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN) - All Full Names - U.S. Physical Addresses
Privacy	U.S. Patriot Act	- Credit card number - U.S. bank account number - U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN)
Privacy	U.S. Personally Identifiable Information (PII) Data Enhanced	- U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN) - U.S./U.K. passport number - All Full Names - U.S. Physical Addresses
Privacy	U.S. Personally Identifiable Information (PII) Data	- U.S. Individual Taxpayer Identification Number (ITIN) - U.S. social security number (SSN) - U.S./U.K. passport number
Privacy	U.S. State Breach Notification Laws Enhanced	- Credit card number - U.S. bank account number -U.S. driver's license number - U.S. social security number (SSN) - All Full Names - U.S./U.K. passport number - All Medical Terms And Conditions
Privacy	U.S. State Breach Notification Laws	- Credit card number - U.S. bank account number -U.S. driver's license number - U.S. social security number (SSN)
Privacy	U.S. State Social Security Number Confidentiality Laws	- U.S. social security number (SSN)

Policy Scoping

See, Administrative units to make sure you understand the difference between an unrestricted admin and an administrative unit restricted admin.

DLP policies are scoped at two different levels. The first level applies unrestricted admin scope policies to all:

• users
• groups
• distribution groups
• accounts
• sites
• cloud app instances
• on-premises repositories
• Power BI workspaces

in your organization (depending on the locations that are selected) or to subgroups of your organization called Administrative Unit restricted policies.

At this level, an administrative unit restricted admin will only be able to pick from the administrative units that they're assigned to.

The second level of DLP policy scoping is by the locations that DLP supports. At this level, both unrestricted and administrative unit restricted administrators will see only the users, distribution groups, groups, and accounts that were included in the first level of policy scoping and that are available for that location.

Unrestricted policies

Unrestricted policies are created and managed by users in these role groups:

• Compliance administrator
• Compliance data administrator
• Information Protection
• Information Protection Admin
• Security administrator

See, Permissions for more details.

Unrestricted administrators can manage all policies and see all the alerts and events that flow from policy matches into the Alerts dashboard and DLP Activity Explorer.

Administrative Unit restricted policies

Administrative units are subsets of your Azure Active Directory and are created for the purposes of managing collections of users, groups, distribution groups, and accounts. These collections are typically created along business group lines or geopolitical areas. Administrative units have a delegated administrator who is associated with an administrative unit in the role group. These are called administrative unit restricted admins.

DLP supports associating policies with administrative units. See Administrative units for implementation details in the Microsoft Purview compliance portal. Administrative unit admins need to be assigned to one of the same roles or role groups as administrators of unrestricted DLP policies in order to create and manage DLP policies for their administrative unit

DLP Administrative Role Group	Can
Unrestricted administrator	- create and scope DLP policies to entire organization - edit all DLP policies - create and scope DLP policies to administrative units - view all alerts and events from all DLP policies
Administrative Unit Restricted administrator - must be a member of/assigned to a role group/role that can administer DLP	- create and scope DLP policies only to the administrative unit that they're assigned to - edit DLP policies that are associated to their administrative unit - view alerts and events only from the DLP policies that are scoped to their administrative unit

Locations

A DLP policy can find and protect items that contain sensitive information across multiple locations.

Location	Supports Administrative Units	Include/Exclude scope	Data state	Additional prerequisites
Exchange	Yes	- Distribution groups - Security groups - Non-mail enabled security groups - Dynamic distribution lists - Microsoft 365 groups (Group members only, not the group as an entity)	data-in-motion	No
SharePoint	No	Sites	data-at-rest data-in-use	No
OneDrive	Yes	- Distribution groups - Security groups - Non-mail enabled security groups - Microsoft 365 groups (Group members only, not the group as an entity)	data-at-rest data-in-use	No
Teams chat and channel messages	Yes	- Distribution groups - Security groups - Non-mail enabled security groups - Microsoft 365 groups (Group members only, not the group as an entity)	data-in-motion data-in-use	No
Microsoft Defender for Cloud Apps	No	Cloud app instance	data-at-rest	- Use data loss prevention policies for non-Microsoft cloud apps
Devices	Yes	- Distribution groups - Security groups - Non-mail enabled security groups - Microsoft 365 groups (Group members only, not the group as an entity)	data-in-use data-in-motion	- Learn about Endpoint data loss prevention - Get started with Endpoint data loss prevention - Configure device proxy and internet connection settings for Information Protection
On-premises repositories (file shares and SharePoint)	No	Repository	data-at-rest	- Learn about the data loss prevention on-premises repositories - Get started with the data loss prevention on-premises repositories
Power BI	No	Workspaces	data-in-use	No
Third-party apps	None	No	No	No
Power BI	No	None	No	No

Exchange location scoping

If you choose to include specific distribution groups in Exchange, the DLP policy is scoped only to the emails sent by members of that group. Similarly, excluding a distribution group excludes all the emails sent by the members of that distribution group from policy evaluation.

Sender is	Recipient is	Resultant behavior
In scope	N/A	Policy is applied
Out of scope	In scope	Policy isn't applied

Exchange location scope calculation

Here's an example of how Exchange location scope is calculated

Say you have four users in your org, U1, U2, U3, U4 and two distribution groups DG1, and DG2 that you'll use for defining Exchange location inclusion and exclusion scopes. Group membership is set up like this:

Distribution Group	Membership
DG1	U1, U2
DG2	U2, U3

U4 isn't a member of any group.

Include setting	Exclude setting	Policy applies to	Policy doesn't apply to	Explanation of behavior
All	None	All senders in the Exchange org (U1, U2, U3, U4)	N/A	When neither are defined, all senders are included
DG1	None	Member senders of DG1 (U1, U2)	All senders who aren't members of DG1 (U3, U4)	When one setting is defined and the other isn't the defined setting is used
All	DG2	All senders in the Exchange org who aren't members of DG2 (U1, U4)	All senders who are members of DG2 (U2, U3)	When one setting is defined and the other isn't the defined setting is used
DG1	DG2	U1	U2, U3, U4	Exclude overrides include

You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.

SharePoint and OneDrive location scoping

If you choose to include or exclude specific SharePoint sites or OneDrive accounts, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations.

If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion.

Location support for how content can be defined

DLP policies detect sensitive items by matching them to a sensitive information type (SIT), or to a sensitivity label or a retention label. Each location supports different methods of defining sensitive content. When you combine locations in a policy, how the content can be defined can change from how it can be defined by a single location.

Location	Content can be defined by SIT	Content can be defined sensitivity label	Content can be defined by retention label
Exchange email online	Yes	Yes	No
SharePoint online sites	Yes	Yes	Yes
OneDrive for Business accounts	Yes	Yes	Yes
Teams Chat and Channel messages	Yes	No	No
Devices	Yes	Yes	No
Microsoft Defender for Cloud Apps	Yes	Yes	Yes
On-premises repositories	Yes	Yes	No
Power BI	Yes	Yes	No

DLP supports using trainable classifiers as a condition to detect sensitive documents. Content can be defined by trainable classifiers in Exchange, SharePoint sites, OneDrive accounts, Teams Chat and Channels, and Devices. For more information, see Trainable Classifiers.

Rules

Rules are the business logic of DLP policies. They consist of:

• Conditions that when matched, trigger the policy
• Actions to take when the policy is triggered
• User notifications to inform your users when they're doing something that triggers a policy and help educate them on how your organization wants sensitive information treated
• User Overrides when configured by an admin, allow users to selectively override a blocking action
• Incident reports that notify admins and other key stakeholders when a rule match occurs
• Additional options which define the priority for rule evaluation and can stop further rule and policy processing.

A policy contains one or more rules. Rules are executed sequentially, starting with the highest-priority rule in each policy.

The priority by which rules are evaluated and applied

Hosted service workloads

For the hosted service workloads, like Exchange, SharePoint, and OneDrive, each rule is assigned a priority in the order in which it's created. This means that the rule created first has first priority, the rule created second has second priority, and so on.

When content is evaluated against rules, the rules are processed in priority order. If content matches multiple rules, the first rule evaluated that has the most restrictive action is enforced. For example, if content matches all of the following rules, Rule 3 is enforced because it's the highest priority, most restrictive rule:

• Rule 1: only notifies users
• Rule 2: notifies users, restricts access, and allows user overrides
• Rule 3: notifies users, restricts access, and doesn't allow user overrides
• Rule 4: restricts access

Rules 1, 2, and 4 would be evaluated, but not applied. In this example, matches for all of the rules are recorded in the audit logs and shown in the DLP reports, even though only the most restrictive rule is applied.

You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.

For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint sites and all OneDrive sites (the where) by finding any document containing this sensitive information that's shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

For endpoints

When an item matches multiple DLP rules, DLP goes uses through a complex algorithm to decide which actions to apply. Endpoint DLP will apply the aggregate or sum of most restrictive actions. DLP uses these factors when making the calculation.

Policy priority order When an item matches multiple policies and those policies have identical actions, the actions from the highest priority policy is applied.

Rule priority order When an item matches multiple rules in a policy and those rules have identical actions, the actions from the highest priority rule is applied.

Mode of the policy When an item matches multiple policies and those policies have identical actions, the actions from all policies that are in Turn it on state (enforce mode) are applied preferentially over the policies in Test with policy tips and Test state.

The type of action assigned to a user activity When an item matches multiple policies and those policies differ in actions, the aggregate or sum of the most restrictive actions are applied.

Authorization groups configuration When an item matches multiple policies and those policies differ in action, the aggregate or sum of the most restrictive actions are applied.

override options When an item matches multiple policies and those policies differ in the override option, actions are applied in this order:

No override > Allow override

Here are scenarios that illustrate the runtime behavior. For the first three scenarios, you have three DLP policies configured like this:

Policy name	Condition to match	Action	Policy priority
ABC	Content contains credit card number	Block print, audit all other user egress activities	0
MNO	Content contains credit card number	Block copy to USB, audit all other user egress activities	1
XYZ	Content contains U.S. social security number	Block copy to clipboard, audit all other user egress activities	2

Item contains credit card numbers

An item on a monitored device contains credit card numbers, so it matches policy ABC and policy MNO. Both ABC and MNO are in Turn it on mode.

Policy	Cloud egress action	Copy to clipboard action	Copy to USB action	Copy to network share action	Unallowed apps action	Print action	Copy via Bluetooth action	Copy to remote desktop action
ABC	Audit	Audit	Audit	Audit	Audit	Block	Audit	Audit
MNO	Audit	Audit	Block	Audit	Audit	Audit	Audit	Audit
Actions applied at runtime	Audit	Audit	Block	Audit	Audit	Block	Audit	Audit

Item contains credit card numbers and U.S. social security numbers

An item on a monitored device contains credit card numbers and U.S. social security numbers, so this item matches policy ABC, policy MNO, and policy XYZ. All three policies are in Turn it on mode.

Policy	Cloud egress action	Copy to clipboard action	Copy to USB action	Copy to network share action	Unallowed apps action	Print action	Copy via Bluetooth action	Copy to remote desktop action
ABC	Audit	Audit	Audit	Audit	Audit	Block	Audit	Audit
MNO	Audit	Audit	Block	Audit	Audit	Audit	Audit	Audit
XYZ	Audit	Block	Audit	Audit	Audit	Block	Audit	Audit
Actions applied at runtime	Audit	Block	Block	Audit	Audit	Block	Audit	Audit

Item contains credit card numbers, different policy state

An item on a monitored device contains credit card number, so it matches policy ABC and policy MNO. Policy ABC is in Turn it on mode and policy MNO is in Test state.

Policy	Cloud egress action	Copy to clipboard action	Copy to USB action	Copy to network share action	Unallowed apps action	Print action	Copy via Bluetooth action	Copy to remote desktop action
ABC	Audit	Audit	Audit	Audit	Audit	Block	Audit	Audit
MNO	Audit	Audit	Block	Audit	Audit	Audit	Audit	Audit
Actions applied at runtime	Audit	Audit	Audit	Audit	Audit	Block	Audit	Audit

Item contains credit card numbers, different override configuration

An item on a monitored device contains credit card number, so it matches policy ABC and policy MNO. Policy ABC is in Turn it on state and policy MNO is in Turn it on state. They have different Override actions configured

Policy	Cloud egress action	Copy to clipboard action	Copy to USB action	Copy to network share action	Unallowed apps action	Print action	Copy via Bluetooth action	Copy to remote desktop action
ABC	Audit	Audit	Block with override	Audit	Audit	Block	Audit	Audit
MNO	Audit	Audit	Block without override	Audit	Audit	Audit	Audit	Audit
Actions applied at runtime	Audit	Audit	Block without override	Audit	Audit	Block	Audit	Audit

Item contains credit card numbers, different authorization groups configuration

An item on a monitored device contains credit card number, so it matches policy ABC and policy MNO. Policy ABC is in Turn it on state and policy MNO is in Turn it on state. They have different authorization group actions configured

Policy	Cloud egress action	Copy to clipboard action	Copy to USB action	Copy to network share action	Unallowed apps action	Print action	Copy via Bluetooth action	Copy to remote desktop action
ABC	Audit	Audit	Auth group A - Block	Audit	Audit	Auth group A - Block	Audit	Audit
MNO	Audit	Audit	Auth group A - Block with override	Audit	Audit	Auth group B - block	Audit	Audit
Actions applied at runtime	Audit	Audit	Auth group A - Block	Audit	Audit	Auth group A - Block, Auth group B - Block	Audit	Audit

Conditions

Conditions are where you define what you want the rule to look for and the context in which those items are being used. They tell the rule: when you find an item that looks like this and is being used like that—it's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

Content contains

All locations support the Content contains condition. You can select multiple instances of each content type and further refine the conditions by using the Any of these (logical OR) or All of these (logical AND) operators:

• sensitive information types
• sensitivity labels
• retention labels
• Trainable Classifiers

depending on the location(s) you choose to apply the policy to.

The rule will only look for the presence of any sensitivity labels and retention labels you pick.

SITs have a predefined confidence level which you can alter if needed. For more information, see More on confidence levels.

Adaptive Protection in Microsoft Purview (preview)

Adaptive protection integrates Microsoft Purview Insider Risk Management risk profiles into DLP policies so that DLP can help protect against dynamically identified risky behaviors. When configured in insider risk management, the User's risk level for adaptive protection is will show up as condition for Exchange Online, Devices, and Teams locations. Refer to Learn about Adaptive Protection in Data Loss Prevention (preview) for more details.

Conditions that adaptive protection supports

• User's risk level for adaptive protection is

with these values:

• Elevated risk level
• Moderate risk level
• Minor risk level

Condition context

The available context options change depending on which location you choose. If you select multiple locations, only the conditions that the locations have in common are available.

Conditions Exchange supports

• Content contains
• User's risk level for Adaptive Protection is
• Content is not labeled
• Content is shared from Microsoft 365
• Content is received from
• Sender IP address is
• Header contains words or phrases
• Sender AD Attribute contains words or phrases
• Content character set contains words
• Header matches patterns
• Sender AD Attribute matches patterns
• Recipient AD Attribute contains words or phrases
• Recipient AD Attribute matches patterns
• Recipient is member of
• Document property is
• Any email attachment's content could not be scanned
• Document or attachment is password protected
• Has sender overridden the policy tip
• Sender is a member of
• Any email attachment's content didn't complete scanning
• Recipient address contains words
• File extension is
• Recipient domain is
• Recipient is
• Sender is
• Sender domain is
• Recipient address matches patterns
• Document name contains words or phrases
• Document name matches patterns
• Subject contains words or phrases
• Subject matches patterns
• Subject or body contains words or phrases
• Subject or body matches patterns
• Sender address contains words
• Sender address matches patterns
• Document size equals or is greater than
• Document content contains words or phrases
• Document content matches patterns
• Message size equals or is greater than
• Message type is
• Message importance is

Conditions SharePoint supports

• Content contains
• Content is shared from Microsoft 365
• Document property is
• File extension is
• Document name contains words or phrases
• Document size equals or is greater than
• Document created by
• Document created by member of

Conditions OneDrive accounts supports

• Content contains
• Content is shared from Microsoft 365
• Document property is
• File extension is
• Document name contains words or phrases
• Document size equals or is greater than
• Document created by
• Document created by member of
• Document is shared

Conditions Teams chat and channel messages supports

• Content contains
• Users risk level for Adaptive Protection is
• Content is shared from Microsoft 365
• Recipient domain is -Recipient is
• Sender is
• Sender domain is

Conditions Devices supports

• Content contains
• User's risk level for Adaptive Protection is
• Content is not labeled (PDF and Office files are fully supported). This predicate detects content that doesn't have a sensitivity label applied. To help ensure only supported file types are detected, you should use this condition with the File extension is or File type is conditions.
• Document or attachment is password protected (PDF, Office files, .ZIP, .7z, and Symantec PGP encrypted files are fully supported). This condition detects only open protected files.
• File type is
• File extension is
• The user accessed a sensitive website from Microsoft Edge. For more information, see, Scenario 6 Monitor or restrict user activities on sensitive service domains (preview).
• See, Endpoint activities you can monitor and take action on

Conditions Microsoft Defender for Cloud Apps supports

• Content contains
• Content is shared from Microsoft 365

Conditions On-premises repositories supports

• Content contains
• File extension is
• Document property is

Conditions Power BI supports

• Content contains

Condition groups

Sometimes you need a rule to identify only one thing, such as all content that contains a U.S. Social Security Number, which is defined by a single SIT. However, in many scenarios where the types of items you're trying to identify are more complex and therefore harder to define, more flexibility in defining conditions is required.

For example, to identify content subject to the U.S. Health Insurance Act (HIPAA), you need to look for:

• Content that contains specific types of sensitive information, such as a U.S. Social Security Number or Drug Enforcement Agency (DEA) Number.

  AND

• Content that's more difficult to identify, such as communications about a patient's care or descriptions of medical services provided. Identifying this content requires matching keywords from large keyword lists, such as the International Classification of Diseases (ICD-9-CM or ICD-10-CM).

You can identify this type of data by grouping conditions and using logical operators (AND, OR) between the groups.

For the U.S. Health Insurance Act (HIPPA), conditions are grouped like this:

The first group contains the SITs that identify an individual and the second group contains the SITs that identify medical diagnosis.

Conditions can be grouped and joined by boolean operators (AND, OR, NOT) so that you define a rule by stating what should be included and then defining exclusions in a different group joined to the first by a NOT. To learn more about how Purview DLP implements booleans and nested groups see, Complex rule design.

DLP Platform Limitations for Conditions

Predicate	Workload	Limit	Cost of Evaluation
Content Contains	EXO/SPO/ODB	125 SITs per rule	High
Content is shared from Microsoft 365	EXO/SPO/ODB	-	High
Sender IP address is	EXO	Individual range length <= 128; Count <= 600	Low
Has sender overridden the policy tip	EXO	-	Low
Sender is	EXO	Individual email length <= 256; Count <= 600	Medium
Sender is a member of	EXO	Count <= 600	High
Sender domain is	EXO	Domain name length <= 67; Count <= 600	Low
Sender address contains words	EXO	Individual word length <= 128; Count <= 600	Low
Sender address matches patterns	EXO	Regex length <= 128 char; Count <= 600	Low
Sender AD attribute contains words	EXO	Individual word length <= 128; Count <= 600	Medium
Sender AD attribute matches patterns	EXO	Regex length <= 128 char; Count <= 600	Medium
Content of email attachment(s) can't be scanned	EXO	Supported file types	Low
Incomplete scan of email attachment content	EXO	Size > 1 MB	Low
Attachment is password-protected	EXO	File types: Office files, .PDF, .ZIP, and 7z	Low
Attachment's file extension is	EXO/SPO/ODB	Count <= 600 per rule	High
Recipient is a member of	EXO	Count <= 600	High
Recipient domain is	EXO	Domain name length <= 67; Count <= 5000	Low
Recipient is	EXO	Individual email length <= 256; Count <= 600	Low
Recipient address contains words	EXO	Individual word length <= 128; Count <= 600	Low
Recipient address matches patterns	EXO	Count <= 300	Low
Document name contains words or phrases	EXO	Individual word length <= 128; Count <=600	Low
Document Name matches patterns	EXO	Regex length <= 128 char; Count <= 300	Low
Document property is	EXO/SPO/ODB	-	Low
Document size equals or is greater than	EXO	-	Low
Subject contains words or phrases	EXO	Individual word length <= 128; Count <= 600	Low
Header contains words or phrases	EXO	Individual word length <= 128; Count <= 600	Low
Subject or body contains words or phrases	EXO	Individual word length <= 128; Count <= 600	Low
Content character set contains words	EXO	Count <= 600	Low
Header matches patterns	EXO	Regex length <= 128 char; Count <= 300	Low
Subject matches patterns	EXO	Regex length <= 128 char; Count <= 300	Low
Subject or body matches patterns	EXO	Regex length <= 128 char; Count <= 300	Low
Message type is	EXO	-	Low
Message size over	EXO	-	Low
With importance	EXO	-	Low
Sender AD attribute contains words	EXO	Each attribute key value pair: has Regex length <= 128 char; Count <= 600	Medium
Sender AD attribute matches patterns	EXO	Each attribute key value pair: has Regex length <= 128 char; Count <= 300	Medium
Document contains words	EXO	Individual word length <= 128; Count <= 600	Medium
Document matches patterns	EXO	Regex length <= 128 char; Count <= 300	Medium

Actions

Any item that makes it through the conditions filter will have any actions that are defined in the rule applied to it. You'll have to configure the required options to support the action. For example, if you select Exchange with the Restrict access or encrypt the content in Microsoft 365 locations action, you need to choose from these options:

• Block users from accessing shared SharePoint, OneDrive, and Teams content
  • Block everyone. Only the content owner, last modifier, and site admin will continue to have access
  • Block only people from outside your organization. Users inside your organization will continue to have access.
• Encrypt email messages (applies only to content in Exchange)

The actions that are available in a rule depend on the locations that have been selected. The available actions for each individual location are listed below.

Exchange location actions

• Restrict access or encrypt the content in Microsoft 365 locations
• Set headers
• Remove header
• Redirect the message to specific users
• Forward the message for approval to sender's manager
• Forward the message for approval to specific approvers
• Add recipient to the To box
• Add recipient to the Cc box
• Add recipient to the Bcc box
• Add the sender's manager as recipient
• Remove message encryption and rights protection
• Prepend Email Subject
• Add HTML Disclaimer
• Modify Email Subject
• Deliver the message to the hosted quarantine
• Apply branding to encrypted messages

SharePoint sites location actions

• Restrict access or encrypt the content in Microsoft 365 locations

OneDrive account location actions

• Restrict access or encrypt the content in Microsoft 365 locations

Teams Chat and Channel Messages actions

• Restrict access or encrypt the content in Microsoft 365 locations

Devices actions

• Restrict access or encrypt the content in Microsoft 365 locations
• Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices (See, Scenario 6 Monitor or restrict user activities on sensitive service domains) for more information.)
• Audit or restrict activities on devices

To use Audit or restrict activities on Windows devices, you have to configure options in DLP settings and in the policy in which you want to use them. See, Restricted apps and app groups for more information.

The devices location provides many sub-activities (conditions) and actions. To learn more, see Endpoint activities you can monitor and take action on.

When you select Audit or restrict activities on Windows devices, you can restrict the user activities by service domain or browser, and scope the actions that DLP takes by:

• All apps
• By a list of restricted apps that you define
• A restricted app group (preview) that you define.

Service domain and browser activities

When you configure the Allow/Block cloud service domains and the Unallowed browsers list (see Browser and domain restrictions to sensitive data) and a user attempts to upload a protected file to a cloud service domain or access it from an unallowed browser, you can configure the policy action to Audit only, Block with override, or Block the activity.

File activities for all apps

With the File activities for all apps option, you select either Don't restrict file activities or Apply restrictions to specific activities. When you select Apply restrictions to specific activities, the actions that you select here are applied when a user has accessed a DLP protected item. You can tell DLP to Audit only, Block with override, or Block (the actions) these user activities:

• Copy to clipboard
• Copy to a USB removable drive
• Copy to a network share
• Print
• Copy or move using an unallowed Bluetooth app
• Remote desktop services

Restricted app activities

Previously called Unallowed apps, restricted app activities are apps that you want to place restrictions on. You define these apps in a list in Endpoint DLP settings. When a user attempts to access a DLP protected file using an app that is on the list, you can either Audit only, Block with override, or Block the activity. DLP actions defined in Restricted app activities are overridden if the app is a member of restricted app group. Then the actions defined in the restricted app group are applied.

File activities for apps in restricted app groups (preview)

You define your restricted app groups in Endpoint DLP settings and add restricted app groups to your policies. When you add a restricted app group to a policy, you must select one of these options:

• Don't restrict file activity
• Apply restrictions to all activity
• Apply restrictions to specific activity

When you select either of the Apply restrictions options, and a user attempts to access a DLP protected file using an app that is in the restricted app group, you can either Audit only, Block with override, or Block by activity. DLP actions that you define here override actions defined in Restricted app activities and File activities for all apps for the app.

See, Restricted apps and app groups for more information.

Microsoft Defender for Cloud Apps actions

• Restrict access or encrypt the content in Microsoft 365 locations
• Restrict Third Party Apps

On-premises repositories actions

• Restrict access or remove on-premises files.
  • Block people from accessing files stored in on-premises repositories
  • Set permissions on the file (permissions inherited from the parent folder)
  • Move file from where it's stored to a quarantine folder

See, DLP On-premises repository actions for full details.

Power BI actions

• Notify users with email and policy tips
• Send alerts to Administrator

Actions available when you combine locations

If you select Exchange and any other single location for the policy to be applied to, the

• Restrict access or encrypt the content in Microsoft 365 locations and all actions for the non-Exchange location actions are available.

If you select two or more non-Exchange locations for the policy to be applied to, the

• Restrict access or encrypt the content in Microsoft 365 locations and all actions for non-Exchange locations actions will be available.

For example, if you select the Exchange and Devices locations, these actions will be available:

• Restrict access or encrypt the content in Microsoft 365 locations
• Audit or restrict activities on Windows devices

If you select Devices and Microsoft Defender for Cloud Apps, these actions will be available:

• Restrict access or encrypt the content in Microsoft 365 locations
• Audit or restrict activities on Windows devices
• Restrict Third Party Apps

Whether an action takes effect or not depends on how you configure the mode of the policy. You can choose to run the policy in test mode with or without showing policy tip by selecting the Test it out first option. You choose to run the policy as soon as an hour after it's created by selecting the Turn it on right away option, or you can choose to just save it and come back to it later by selecting the Keep it off option.

DLP Platform Limitations for Actions

Action Name	Workload	Limits
Restrict access or encrypt content in Microsoft 365	EXO/SPO/ODB
Set headers	EXO
Remove header	EXO
Redirect the message to specific users	EXO	Total of 100 across all DLP rules. Can't be DL/SG
Forward the message for approval to sender's manager	EXO	Manager should be defined in AD
Forward the message for approval to specific approvers	EXO	Groups aren't supported
Add recipient to the To box	EXO	Recipient count <= 10; Can't be DL/SG
Add recipient to the Cc box	EXO	Recipient count <= 10; Can't be DL/SG
Add recipient to the Bcc box	EXO	Recipient count <= 10; Can't be DL/SG
Add the sender's manager as recipient	EXO	Manager attribute should be defined in AD
Apply HTML disclaimer	EXO
Prepend subject	EXO
Apply message encryption	EXO
Remove message encryption	EXO

User notifications and policy tips

When a user attempts an activity on a sensitive item in a context that meets the conditions of a rule (for example, content such as an Excel workbook on a OneDrive site that contains personally identifiable information (PII) and is shared with a guest), you can let them know about it through user notification emails and in-context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

Email notifications support by selected location

Selected location	Email notifications supported
Devices	- Not supported
Exchange + Devices	- Supported for Exchange - Not supported for Devices
Exchange	- Supported
SharePoint + Devices	- Supported for SharePoint - Not supported for Devices
SharePoint	- Supported
Exchange + SharePoint	- Supported for Exchange - Supported for SharePoint
Devices + SharePoint + Exchange	- Not supported for Devices - Supported for SharePoint Supported for Exchange
Teams	- Not supported
OneDrive for Business	- Supported
OneDrive for Business + Devices	- Supported for OneDrive for Business - Not supported for Devices
Power-BI	- Not supported
Microsoft Defender for Cloud Apps	- Not supported
On-premises repositories	- Not supported

You can also give people the option to override the policy, so that they're not blocked if they have a valid business need or if the policy is detecting a false positive.

The user notifications and policy tips configuration options vary depending on the monitoring locations you've selected. If you selected:

• Exchange
• SharePoint
• OneDrive
• Teams Chat and Channel
• Defender for Cloud Apps

You can enable/disable user notifications for various Microsoft apps, see Data Loss Prevention policy tips reference

• You can enable/disable notifications with a policy tip.
  • email notifications to the user who sent, shared, or last modified the content OR
  • notify specific people

and customize the email text, subject, and the policy tip text.

If you selected Devices only, you'll get all the same options that are available for Exchange, SharePoint, OneDrive, Teams Chat and Channel, and Defender for Cloud Apps, plus the option to customize the notification title and content that appears on the Windows 10/11 device.

You can customize the title and body of text with using these parameters. The body text supports these:

Common name	Parameter	Example
file name	%%FileName%%	Contoso doc 1
process name	%%ProcessName%%	Word
policy name	%%PolicyName%%	Contoso highly confidential
action	%%AppliedActions%%	pasting document content from the clipboard to another app

%%AppliedActions%% substitutes these values into the message body:

action common name	value substituted in for %%AppliedActions%% parameter
copy to removeable storage	writing to removable storage
copy to network share	writing to a network share
print	printing
paste from clipboard	pasting from the clipboard
copy via bluetooth	transferring via Bluetooth
open with an unallowed app	opening with this app
copy to a remote desktop (RDP)	transferring to remote desktop
uploading to an unallowed website	uploading to this site
accessing the item via an unallowed browser	opening with this browser

Using this customized text

%%AppliedActions%% File name %%FileName%% via %%ProcessName%% isn't allowed by your organization. Select 'Allow' if you want to bypass the policy %%PolicyName%%

produces this text in the customized notification:

pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE isn't allowed by your organization. Select the 'Allow' button if you want to bypass the policy Contoso highly confidential

You can localize your custom policy tips by using the Set-DlpComplianceRule -NotifyPolicyTipCustomTextTranslations cmdlet.

To learn more about user notification and policy tip configuration and use, including how to customize the notification and tip text, see

• Send email notifications and show policy tips for DLP policies.

Policy tip references

Details on support for policy tips and notifications for different apps can be found here:

• Data loss prevention policy tip reference for Outlook for Microsoft 365
• Data loss prevention policy tip reference for Outlook on the Web
• Data loss prevention policy tip reference for SharePoint Online and OneDrive for Business web client

Blocking and notifications in SharePoint Online and OneDrive for Business

The following table shows the DLP blocking and notification behavior for policies that are scoped to SharePoint Online and OneDrive for Business.

Conditions	Actions config	User Notification config	Incident Reports config	Blocking and Notification behavior
- Content is shared from Microsoft 365 - with people outside my organization	No actions are configured	- User notifications set to On - Notify users in Office 365 service with a policy tip is selected - Notify the user who sent, shared, or last modified the content is selected	- Send an alert to admins when a rule match occurs set to On - Send alert every time an activity matches the rule set to On - Use email incident reports to notify you when a policy match occurs set to On	- Notifications will be sent only when a file is shared with an external user and an external user access the file.
- Content is shared from Microsoft 365 - only with people inside my organization	No actions are configured	- User notifications set to On - Notify users in Office 365 service with a policy tip is selected - Notify the user who sent, shared, or last modified the content is selected	- Send an alert to admins when a rule match occurs set to On - Send alert every time an activity matches the rule is selected - Use email incident reports to notify you when a policy match occurs set to On	- Notifications are sent when a file is uploaded
- Content is shared from Microsoft 365 - with people outside my organization	- Restrict access or encrypt the content in Microsoft 365 locations is selected - Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files is selected - Block only people outside your organization is selected	- User notifications set to On - Notify users in Office 365 service with a policy tip is selected - Notify the user who sent, shared, or last modified the content is selected	- Send an alert to admins when a rule match occurs set to On - Send alert every time an activity matches the rule is selected - Use email incident reports to notify you when a policy match occurs set to On	- Access to a sensitive file is blocked as soon as its uploaded, regardless of whether the document is shared or not for all external users. - If the sensitive information is added to a file after it is shared and accessed by a user outside the organization, then alerts and incident reports will be sent - If the document contains sensitive information before it is uploaded, external sharing will be blocked proactively. Because external sharing in this scenario is blocked when the file is uploaded, no alers or incident reports are sent. Suppression of the alerts and incident reports is designed to prevent a flood of alerts to the user for each blocked file. - Proactive blocking will show up as event in the Audit Log and Activity Explorer.
- Content is shared from Microsoft 365 - with people outside my organization	- Restrict access or encrypt the content in Microsoft 365 locations is selected - Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files is selected - Block everyone is selected	- User notifications set to On - Notify users in Office 365 service with a policy tip is selected - Notify the user who sent, shared, or last modified the content is selected	- Send an alert to admins when a rule match occurs set to On - Send alert every time an activity matches the rule is selected - Use email incident reports to notify you when a policy match occurs set to On	Notifications are sent when a file is shared with an external user and an external user access that file.
- Content is shared from Microsoft 365	- Restrict access or encrypt the content in Microsoft 365 locations is selected - Block only people who were given access to the content through the "Anyone with the link" option is selected.	- User notifications set to On - Notify users in Office 365 service with a policy tip is selected. - Notify the user who sent, shared, or last modified the content is selected	- Send an alert to admins when a rule match occurs set to On - Send alert every time an activity matches the rule is selected - Use email incident reports to notify you when a policy match occurs set to On	Notifications are sent as soon as a file is uploaded.

Learn more URL

Users may want to learn why their activity is being blocked. You can configure a site or a page that explains more about your policies. When you select Provide a compliance URL for the end user to learn more about your organization's policies (available for Exchange workload only), and the user receives a policy tip notification in Outlook Win 32, the Learn more link will point to the site URL that you provide. This URL has priority over the global compliance URL configured with Set-PolicyConfig -ComplainceURL.

User overrides

The intent of User overrides is to give users a way to bypass, with justification, DLP policy blocking actions on sensitive items in Exchange, SharePoint, OneDrive, or Teams, so that they can continue their work. User overrides are enabled only when Notify users in Office 365 services with a policy tip is enabled, so user overrides go hand-in-hand with Notifications and Policy tips.

Typically, user overrides are useful when your organization is first rolling out a policy. The feedback that you get from any override justifications and identifying false positives helps in tuning the policy.

• If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.

Business justification X-Header

When a user overrides a block with override action on an email, the override option and the text that they provide are stored in the Audit log and in the email X-header. To view the business justification overrides search the audit log in the compliance portal for ExceptionInfo value for the details. Here's an example of the audit log values:

{
    "FalsePositive"; false,
    "Justification"; My manager approved sharing of this content",
    "Reason"; "Override",
    "Rules": [
         "<message guid>"
    ]
}

If you have an automated process that makes use of the business justification values, the process can access that information programmatically in the email X-header data.

Incident reports

When a rule is matched, you can send an incident report to your compliance officer (or any people you choose) with details of the event. The report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes the original message as an attachment that matches a DLP policy.

DLP feeds incident information to other Microsoft Purview Information Protection services, like insider risk management. In order to get incident information to insider risk management, you must set the Incident reports severity level to High.

Alerts can be sent every time an activity matches a rule, which can be noisy or they can be aggregated into fewer alerts based on number of matches or volume of items over a set period of time.

DLP scans email differently than it does SharePoint or OneDrive items. In SharePoint and OneDrive, DLP scans existing items as well as new ones and generates an incident report whenever a match is found. In Exchange, DLP only scans new email messages and generates a report if there's a policy match. DLP does not scan or match previously existing email items that are stored in a mailbox or archive.

Evidence collection for file activities on devices

If you've enabled Setup evidence collection for file activities on devices and added Azure storage accounts, you can select Collect original file as evidence for all selected file activities on Endpoint and the Azure storage account you want to copy the items to. You must also choose the activities you want to copy items for. For example, if you select Print but not Copy to a network share, then only items that are printed from monitored devices will be copied to the Azure storage account.

Additional options

If you have multiple rules in a policy, you can use the Additional options to control further rule processing if there's a match to the rule you're editing as well as setting the priority for evaluation of the rule.

See also

• Learn about data loss prevention
• Plan for data loss prevention (DLP)
• Create and Deploy data loss prevention policies