Microsoft Purview Data Loss Prevention (DLP) is a unified DLP service that prevents the unauthorized exfiltration of sensitive organizational data from Microsoft 365, SaaS apps, and endpoint devices. It is a core feature for compliance with GDPR, HIPAA, PCI DSS, APPI, and proper design is essential for production operations. This article comprehensively covers DLP Policy structure, SIT usage, Endpoint DLP, Adaptive Protection, EDM, and staged rollout.
A DLP Policy combines 'Locations (where applied) + Conditions (criteria) + Actions (response)'.
Microsoft Purview's SIT provides 200+ built-in patterns.
Example: a credit card SIT detects a 16-digit number plus Luhn algorithm validation plus 'credit card' / 'payment' keyword proximity for a High Confidence match.
Controls sensitive data operations on Windows 10/11 and macOS devices.
App-level control via Restricted Apps (only allowed apps can access sensitive data) and Restricted App Groups. For BYOD, combine with App Protection Policy to container-isolate personal data and corporate data.
Adaptive Protection is a 'risk-based dynamic DLP' feature. It dynamically adjusts DLP Policy strength based on a user's Risk Level calculated by Insider Risk Management.
| Risk Level | DLP Behavior |
|---|---|
| Minor Risk (normal) | Audit + Notify |
| Moderate Risk | Enhanced Block with Override |
| Elevated Risk | Full Block + immediate SOC notification |
Risk evaluation leverages machine learning, dynamically judging based on past anomalous patterns (mass file downloads, personal email sends, resignation notices). It evolves from traditional Static DLP (one Policy fits all) to realize balanced usability and security.
A mechanism for DLP to detect data that exactly matches organization-specific databases (customer lists, employee IDs, medical record IDs, etc.).
Enables exact matches on organization-specific data that built-in SITs cannot detect, with a low false positive rate (higher precision than Pattern Match).
What is Microsoft Purview DLP?
Microsoft Purview Data Loss Prevention (DLP) is a unified DLP service that prevents the unauthorized exfiltration of sensitive organizational data from Microsoft 365, SaaS apps, and endpoint devices. It centralizes policy definition, enforcement, and monitoring across Exchange / SharePoint / OneDrive / Teams / Endpoint, Defender for Cloud Apps (CASB), and Power Platform. It identifies sensitive data through a combination of Sensitive Information Types (SIT, 200+ built-in patterns including credit card numbers, SSNs, and Japanese My Number) plus Sensitivity Labels, and executes actions such as Block, Notify, Encrypt, or Allow with Justification. It is a core feature for compliance with GDPR, HIPAA, PCI DSS, APPI, and a key topic on the SC-400 exam.
What are the components of a DLP Policy?
A DLP Policy combines 'Locations (where applied) + Conditions (criteria) + Actions (response)'. Locations: Exchange Email, SharePoint Sites, OneDrive Accounts, Teams Chat and Channels, Devices (Endpoint DLP), Defender for Cloud Apps, Power BI, Fabric. Conditions: 1) Sensitive Info Type (200+ built-in plus custom), 2) Sensitivity Label applied, 3) Contextual conditions (recipient domain, recipients, attachment count, User Risk Level). Actions: Block (full send denial), Block with Override (send allowed with Justification), Notify User (Policy Tip display), Send Incident Report to Admin (SOC notification), Encrypt (auto-apply Rights Management), Quarantine. Standard pattern: tier policies so highly sensitive data is Blocked, medium-sensitivity data is Notify + Justification, and low-sensitivity data is Audit-only.
How do you choose Sensitive Information Types (SIT)?
Microsoft Purview provides 200+ built-in SIT patterns. Examples: credit card numbers (16 types including Visa, MasterCard, American Express), social security numbers (US SSN, UK NINO, Japanese My Number), driver's license numbers, passport numbers, bank account numbers, medical record numbers, phone numbers, email addresses, addresses, IP addresses. Each SIT consists of 'Primary Pattern (regular expression), Supporting Element (proximity keywords), Confidence Level (High / Medium / Low), Minimum Confidence (detection threshold)'. Example: a credit card SIT detects a 16-digit number plus Luhn algorithm validation plus 'credit card' / 'payment' keyword proximity for a High Confidence match. When built-in SITs don't cover the requirement, create a Custom SIT (Regular Expression + Keyword List). Exact Data Match (EDM) enables matching against organization-specific databases, providing precise matches against large datasets such as employee ID lists or customer lists.
How does Endpoint DLP work?
Endpoint DLP controls sensitive data operations on Windows 10/11 and macOS devices. Microsoft Intune manages target devices via Compliance, and the Defender for Endpoint Agent monitors on-device operations (USB copy, printing, Bluetooth, Cloud Sync, web browser upload, clipboard). Typical controls: 1) Block USB / Bluetooth copy of sensitive files, 2) Block personal Cloud Sync of sensitive files (Dropbox, Google Drive), 3) Block sensitive data uploads to web browsers (allow-list domains only), 4) Block screen capture of sensitive files, 5) Block printing of sensitive files. App-level control via Restricted Apps (only allowed apps can access sensitive data) and Restricted App Groups. For BYOD, combine with App Protection Policy to container-isolate personal data and corporate data. In production deployments, the standard is staged rollout starting with Audit rather than Block to avoid disrupting user workflows.
What is Adaptive Protection?
Adaptive Protection is a 'risk-based dynamic DLP' feature announced by Microsoft in 2023. It dynamically adjusts DLP Policy strength based on a user's Risk Level (Minor Risk, Moderate Risk, Elevated Risk) calculated by Insider Risk Management. Typical behavior: 1) Normal users (Minor Risk) → Audit + Notify, 2) Users with anomalous activity in the past 30 days (Moderate Risk) → enhanced Block with Override, 3) High Risk users → full Block + immediate SOC notification. Risk evaluation leverages machine learning, dynamically judging based on past anomalous patterns (mass file downloads, personal email sends, resignation notices). It evolves from traditional Static DLP (one Policy fits all) to risk-based graduated control, realizing 'usability and security balance' — the latest feature of Microsoft Purview.
How do you use Exact Data Match (EDM)?
Exact Data Match (EDM) is a mechanism for DLP to detect data that exactly matches organization-specific databases (customer lists, employee IDs, medical record IDs, etc.). Process: 1) Export Source Database to CSV (e.g., all customers' Email + Customer ID list), 2) Define EDM Schema (field names, Primary Element settings), 3) Upload Schema to Microsoft Purview Compliance Center + hash data (the original data is not uploaded, only hashes are stored in Purview), 4) Reference the EDM SIT in DLP Policy, 5) Re-upload EDM periodically when Source Database is updated. Typical use cases: 1) Customer PII exfiltration detection, 2) Unauthorized access to medical record IDs, 3) Employee SSN email send detection. It enables exact matches on organization-specific data that built-in SITs cannot detect, with a low false positive rate (higher precision than Pattern Match), greatly contributing to DLP accuracy in production.
What are the best practices for DLP operations?
Key practices: 1) Deploy in Audit mode → Tune → migrate to Block mode in stages (1-3 months to reduce false positives), 2) Two-layer defense by combining Sensitivity Label + DLP (DLP targets only labeled files), 3) Risk-based dynamic control with Adaptive Protection, 4) User education via Policy Tips (explain why blocked), 5) Endpoint DLP staged expansion from Office Apps to Restricted Apps, 6) Exact matches on organization-specific data with EDM, 7) Continuous DLP event monitoring in Activity Explorer, 8) Send DLP events to Microsoft Sentinel, anomaly detection with KQL, 9) Insider threat detection through integration with Insider Risk Management, 10) Quarterly Policy review + false positive analysis. In production, balancing business continuity with high detection accuracy is the challenge; careful staged rollout and continuous improvement are the keys to success.
Which certifications are related?
SC-400 (Information Protection and Compliance Administrator Associate) is the primary certification for this area, deeply tested in Domain 2 (DLP 15-20%). SC-100 (Cybersecurity Architect Expert) covers the Data pillar of Zero Trust strategy, MS-102 (Microsoft 365 Administrator Expert) covers enterprise rollout in Domain 4 (Purview 20-25%), SC-300 (Identity Admin) covers Conditional Access App Control integration, and SC-200 (Security Operations Analyst) covers DLP event operations from the SOC perspective. It is essential knowledge across all Microsoft security certifications.
Related Articles & Deep Dives
SC-400 完全ガイド|Microsoft Information Protection and Compliance Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Information Protection and Compliance Administrator Associate (SC-400) の完全ガイド。4 ドメインの出題範囲、Microsoft Purview の Sensitivity Label / DLP / Insider Risk / Communication Compliance / eDiscovery / Retention の実装、3-4 ヶ月の合格ロードマップ、SC-100 / MS-102 への展開ルートを日本語で網羅。
MS-102 完全ガイド|Microsoft 365 Administrator Expert 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Microsoft 365 Administrator Expert (MS-102) の完全ガイド。4 ドメインの出題範囲、テナント / Entra ID / Defender XDR / Purview を横断的にカバー、SC-300 / SC-200 との重複と差異、Microsoft 365 Developer Program 活用法、3-4 ヶ月の合格ロードマップ、SC-100 / MD-102 への展開ルートを日本語で網羅。
Microsoft 365 / Modern Workplace エンジニア キャリアロードマップ|MS-900 → MS-102 → アーキテクトへの道【2026 年版】
Microsoft 365 / Modern Workplace エンジニアになるための認定取得ロードマップ完全版。MS-900 → MS-102 (Expert) の王道ルート、MD-102 / SC-300 / SC-400 / MS-700 / PL シリーズとの組み合わせ、Microsoft 365 Developer Program 活用法、8-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】
Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Technical information in this article is based on the Microsoft Purview DLP Documentation. This article is not an official Microsoft Corporation product and has no affiliation or endorsement relationship with Microsoft. Microsoft, Azure, and Microsoft Purview are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check official pages for the latest information.
Practice with certification-focused question sets
View Azure Exam PrepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...