Data Loss Prevention in Microsoft Teams

Image: Data Loss Prevention Hacker Image
By Neil Hobson on

Data Loss Prevention in Microsoft Teams

Data Loss Prevention is even more important with the recent COVID-19 situation and resultant lockdown. Microsoft Teams supports the day-to-day collaboration activities for users across many organisations. Teams is now playing a pivotal role in keeping users connected as they work remotely. With more usage being made of Teams, coupled with the external access and guest access capabilities it has, organisations may need to consider what sensitive information is being sent via this service.

Office 365 Data Loss Prevention (DLP) policies help prevent sensitive information from being carelessly shared or otherwise leaked. For example, a DLP policy applied to Exchange Online mailboxes can help prevent sensitive information from being shared via email. Applied to Microsoft Teams, DLP policies help protect sensitive information in Teams chats and channel messages.

For licensing information on Data Loss Prevention, see the Microsoft 365 licensing guidance for security & compliance

Sensitive information types in Office 365

The foundation for DLP policies is sensitive information types. Office 365 includes approximately 100 built-in sensitive information types that can be used in DLP policies. These include types such as financial data and Personally Identifiable Information (PII), e.g. credit card numbers, bank account numbers, passport numbers and so on. Microsoft provides sensitive information types for different regions around the world. It is also possible to define custom sensitive information types too.

Image: Sensitive info types in Office 365 screen

Data Loss Prevention policies applied to Teams

Let us look at an example scenario where an organisation adds guest users to a team. How can it help prevent the sharing of sensitive information with guest users in Teams? For this scenario, a DLP policy can be applied to Teams chat and channel message locations and configured to trigger when sensitive content is shared outside the organisation.

Image: Choose locations options screen

As an example, suppose the DLP policy is configured to detect and block the sharing of financial data in Microsoft Teams with guest users outside the company. When a user posts financial data – in this example credit card details – in a chat message with a guest user, they are informed that the message was blocked:

Image: Microsoft Teams Message blocked pop up

The user is also informed why the message was blocked:

Image: Data Loss Prevention Message blocked because it contains sensitive data pop up


In the example above, this DLP policy configuration allows users to override the policy with a justification. This override configuration is optional and configured as desired in the DLP policy.

Data Loss Prevention policy reporting

DLP reporting in Office 365 allows an organisation to review the DLP activity taking place and hence also determine whether the DLP policies are working as intended. There are reports for policy matches, incidents, false positives and overrides, and third-party DLP policy matches. For example, the DLP Policy Matches report is helpful in tuning DLP policies because it shows matches against the different rules when items have matched multiple rules.

Image: Data Loss Prevention report example chart

If the DLP policy configuration allows users to override the policy, the DLP false positives and overrides report can be used to help further tune any DLP policies affected by false positives. As the policy name suggests, it can also be used to view justifications entered by users.

Other scenarios for Teams and sensitive information

Microsoft Cloud App Security session policies can be created and configured to monitor access to Microsoft Teams via web browser. The Conditional Access App Control for Microsoft Teams is in preview.

Image: Conditional access app control preview screen

One of the templates available for the session policies is to block downloads based on real-time content inspection. Then, by using the built-in DLP inspection method within the session policy configuration, attempts to download content containing the specified sensitive information can be blocked.

Image: Data Loss Prevention Download blocked screen

Implementation of DLP in Teams will likely need planning. There are decisions to be made about the sensitive information to be checked for, as well as the construction of the policy itself. There are many policy configuration options available that need to be carefully planned. Microsoft also offers the ability to test policies before they are enforced, thereby allowing policies to be fine-tuned after initial tests are performed.

How can we help?

Silversands is a Microsoft Gold Partner of over 30 years standing,  which specialises in Microsoft 365 delivered across cloud (Azure) and hybrid IT infrastructures. We provide consultancy, support and user adoption services. We are running a series of webinars this quarter, but specifically related to Microsoft Teams we have a webinar on 12th May. Click on the banner below to find out more and register.

We’re aware that the COVID-19 crisis and ensuing lockdown in The UK has really put pressure on organisations to expand deployment and usage of Microsoft Teams, with resultant challenges and risks. So we have developed a process to speed up deployment and created a package of expert-delivered training sessions. For more information please download the PDF summaries:

Image: Microsoft Teams Rapid Enablement Process banner

Image: Microsoft Teams Quick Start Sessions

If you need help and would like to have a chat about how Silversands might be able to help you, please complete the form below:

Contact us

  • This field is for validation purposes and should be left unchanged.


We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch

How can we help you?

Get in touch

What updates would you like?