Let’s Get it Done – Microsoft 365 Data Loss Prevention (DLP)

Announcing improved DLP automation to address today’s DLP needs

Interest in DLP continues to grow among MSP customers. Cyber-attacks continue to grow in number and sophistication, and DLP helps avoid cyber-attacks by preventing a company’s sensitive data from being sent to or accessed by unauthorized parties.

DLP also helps companies who are trying to get closer to meeting a cyber-security compliance framework such as CIS, GDPR, HIPAA, Essential Eight, and more.  

In this blog we review the basics about DLP, some more advanced features of DLP, and the M365 license requirements. We also explore the challenges for MSPs trying to manage DLP for multiple customer tenants, and how Security Manager’s new commands make DLP management easy.

DLP review – The basics

DLP, otherwise known as data loss prevention, helps prevent employees from inappropriately sharing sensitive data with people who shouldn’t have it. It contains many controls, tools, policies, and reporting which can be configured and managed by IT professionals to prevent data leaks.

Nearly every business has sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, social security numbers, and more industry-specific data such as Personal Identifiable Information (PII).

DLP is now even more crucial for companies to have configured properly. M365 contains some of the best collaboration tools in the world. But with that power, companies are at greater risk of their employees sharing sensitive information to the wrong recipients via either email, document sharing, chat, and more.

Requirements and setup

Partners successfully sell customers on the M365 licenses required by reminding them that the average cost of a cyber-attack is $4.3 million dollars.1 Additionally, there is opportunity for business to expand their customer base and even charge more for their services by being more security compliant with accreditations which DLP helps attain.

DLP conversations with customers often require a conversation about M365 licensing \. Below is a table to clarify the options available.

Microsoft 365 ProductE3/G3/A3/F3 LicenseE5/A5/G5/F5DLP Add-On (for Business Standard and Business Premium)Exchange Online Plan 2 Standalone
ExchangeBasic DLP policies for Exchange OnlineComprehensive DLP features, including advanced optionsBasic DLP featuresFull DLP capabilities
SharePointBasic DLP policies for SharePoint OnlineComprehensive DLP features, including advanced optionsBasic DLP featuresFull DLP capabilities
OneDriveBasic DLP capabilities for OneDriveComprehensive DLP features, including advanced optionsBasic DLP featuresFull DLP capabilities
TeamsBasic DLP policies for files shared through TeamsStarting from June 30, 2023, Teams-specific DLP policies require an E5/A5/G5/F5 licenseBasic DLP featuresFull DLP capabilities

Basic DLP: This default level of DLP detects when sensitive data is shared with people outside of the organization via policy tip and an email. 

Comprehensive DLP: Includes Basic DLP features along with ability to block access to sensitive information shared, with end-user override option. Incident reports are also available via email.  

Full DLP: The highest level of protection allows you to architect custom DLP policies from scratch, using the full range of options and settings available in the Microsoft Purview compliance portal. Define and configure what types of information are sensitive, along with actions, exceptions, and notifications.  

The DLP advantages with Security Manager  

SkyKick has just released an update to Security Manager’s DLP automation. This new interface aligns with Microsoft’s recommended best practices offered via templates, which essentially provide a shortcut to focus on DLP policies and rules which are specific to a company’s location, industry, or other attributes. 

Even with Microsoft DLP templates, these still require MSPs to perform dozens of steps to set up. And perhaps most cumbersome for partners, each company’s DLP must be configured one tenant at a time. 

Security Manager combines the advantages of these templates with the ability to manage them across multiple customer tenants, and to do so in a standardized way. Filter templates by countries and regions and select one or more regulations to create the appropriate DLP policy relevant to that region. You can also apply policies to data stored in the locations you choose and specify the policy mode and rule actions for low and high-volume matches.  

Simply log into SkyKick, select Security Manager, and search workflows for “Create Microsoft 365 DLP Policies From Templates” 

The following are the template options within Security Manager. Note: The country and financial regulations are dynamic: These will dynamically toggle which further options are recommended.  

A complete list of available templates and the options therein is conveniently located within the command within the Security Manager interface. 

Security Manager: A better way to manage DLP  

IT professionals who have tried to manage DLP know that it can be time consuming to choose the right options and standardize the settings for a company. For MSPs, that challenge is compounded by needing to manage multiple customer tenants.  

Security Manager makes this easy for MSPs by docking to Microsoft’s DLP templates, but allowing you to run them across any or all of the customers under your management. 

And it’s just one of the many reasons why MSPs are using Security Manager to scale their security practice.  

Watch 3-Minute How-To Videos

Take a Self-Guided Tour


  1. Cost of a Data Breach Report | IBM