How to set up DLP policies with Exchange Online

Exchange admin console screenshot
Enabling new policies in the Exchange admin console

Now that basic tools for data loss prevention are built in to Exchange 2013, the E plans of Office 365 give you options for monitoring and blocking personal information in email without having to invest in extra security software.

If you operate in a regulated business or you handle credit card information and customer data, you need to have policies to ensure you're not revealing that information when you shouldn't.

Equally, you don't want to block innocent messages that happen to include strings of 16 digits, or forms that include examples of personal information. So instead of over-simplistic rules you need data loss prevention (DLP) tools.


In addition, you don't want automated policies that can hinder people in their jobs, so it has to be easy to make exceptions for false positives. A smart policy often includes a function for people to explain what's happening.

The DLP policies in Exchange Online 2013 are completely extensible if you want to write your own. But the fast way to get started is by picking standard templates from a list that includes: the PCI Data Security Standard for businesses handling credit cards (PCI DSS); templates for detecting common UK financial data and personally identifiable information like driver's licences and passport numbers; and the main UK data handling regulations.

Exchange templates screenshot

The Exchange Online policy templates cover key UK and international privacy regulations

If you trade internationally, there are also templates for regulations in the US, Australia, Canada, France, Germany, Israel, Japan and Saudi Arabia.

To use the built-in policy templates, go to the Compliance Management section of the Exchange Administrative Console, choose New DLP policy from template and choose the template from the list.

When you save a new policy, default it to run it in test mode without using policy tips. That lets you see what the policy finds and when it gets triggered without flashing a warning that can affect productivity. If it proves useful, change the mode to enabled.

Exchange rules screenshot

Keep the default rules or tune them to fit your company policies

You can also tweak the rules for how your company works. Is it OK for a few credit card numbers to go out by email for authorised purchases? Or do you need to block all of them?

It might be okay to send a few external emails with personal information, but if someone sends 50 messages you want it to trigger an audit. The policy templates include different rules for responses to a few or a large number of problem messages.

You can also add your own rules for more sophisticated choices. If a document is too long or in the wrong file format, you could block it, forward it to a manager, or encrypt and send it anyway. The latter would work as long as the user fills in a dialogue, confirming that they have reported the block as a false positive or read the company policy on emailing documents on its SharePoint site.

That might be the nicest DLP feature in Exchange Online; it keeps users informed and helps them deal with any issues.

Policy tips

The experience is best in Outlook and Outlook Web Access, which provide 'policy tips' that pop up like the familiar mail tips. Instead of warning users that they've mentioned but not included an attached file, or that they're replying to a message addressed to thousands of people, DLP policy tips warns that they're breaking policy.

It's possible to edit the wording of warnings, so it's obvious this is a real company policy and not some automatic filter they can just ignore.

Exchange policy screenshot

Choose a policy template to add to your system

You can also include a way for users to override the policy and send the message. It's possible to do it from a policy tip in Outlook and Outlook Web Access.

On other devices they get a mail from the server saying what's happened. You can set up a rule that gives them a keyword they can send back to the server to unblock the message; many of the built-in templates let users put 'overide' in the subject line – but that triggers an audit.

Or you might want to apply a workflow that holds the message pending approval from their boss, who receives an email asking them to approve or deny the message. That's also customisable; they can edit the response that goes back to the user telling them their boss has blocked it.

Underlying all this is that, while you can use this technology to detect issues, what you need to fix them isn't just rules and automatic policies – it's good old fashioned management of employees. With Exchange Online, you get the option to have both.


Mary (Twitter, Google+, website) started her career at Future Publishing, saw the AOL meltdown first hand the first time around when she ran the AOL UK computing channel, and she's been a freelance tech writer for over a decade. She's used every version of Windows and Office released, and every smartphone too, but she's still looking for the perfect tablet. Yes, she really does have USB earrings.