DLP leverages search in O365

Reading Time: 3 minutes

Blog Post: 3 minute read

Data Loss Prevention (DLP) helps organizations comply with business standards and industry regulations by protecting sensitive information and preventing its inadvertent disclosure. Although DLP has been around for awhile I can only assume there are others, like me, who have never used it before and are unaware how it leverages search.

DLP is part of the larger Security & Compliance Center in O365. As more and more organizations are moving their data to the cloud, they are turning their attention to these features within O365. I’m encouraged to see the inclusion of content from Exchange Online, SharePoint Online and OneDrive for Business all through one unified compliance experience in the Security & Compliance Center… a “One-stop Compliance shop!”.

With a DLP policy you can identify and prevent sharing of sensitive information across Exchange Online (including O365 Group conversations), SharePoint Online (including O365 Group sites), and OneDrive for Business. Its capabilities also reach into the desktop versions of Word, Excel, and PowerPoint to identify and prevent the same sharing of this sensitive information right at the source.

You might be wondering what are some of the “brains” behind DLP. It’s one of my favorite parts of SharePoint…Search!!

At a high-level, DLP is accomplished by creating DLP policies  that include conditions to match certain types of content. There are numerous pre-defined sensitive information types you can use in these conditions (credit card number, social insurance number, etc.) however I was pleasantly surprised to learn these conditions can also use managed properties from the search index in their definition. Managed properties are used in regular SharePoint search and in Delve already so if you’re familiar with the creation of managed properties for those services, the same rules apply here. (Manage the search schema in SharePoint Online)

Once you understand managed properties can be used to set conditions on a DLP policy, imagine how powerful this can be! You could define a policy that is associated with a specific metadata value on a document or for a specific content type. Here are some examples…

Example 1:

If you had a site column DocumentType with choice values of ‘Public, Internal, Super Secret’, you could add a condition for all content with its managed property (DocumentTypeOWSCHCS) value of ‘Super Secret’. You could then add this condition to a DLP policy to block external sharing for all ‘Super Secret’ documents. Very powerful.

Example 2:

Use a managed property mapped to the content type crawled property in a DLP condition. You could then apply a policy to all “Contract” content types across your organization to block external sharing for example. Useful!

One thing observed thru testing is the following 3 properties must be set on a managed property to be recognized in a DLP policy condition: Queryable, Retrievable and Token Normalization.

There is a client and server component to DLP. Policies are stored and updated on the client machine once per day and is what’s used to identify policy violations at the source. How does this look in the desktop programs? Here’s an example of what Microsoft Word looks like when you’ve entered a sensitive number (eg. credit card number) in the content of the document…


On the server side, there is an asynchronous processing component to ensure content is constantly monitored. This process happens in the background as content across the tenant is added and changed and policies are added/changed. This is another place where search comes into play since the search index is queried to see if any content matches the new policies or is now compliant with policies.

Asynchronous DLP Processing

Both the client and server side processing ensures your content is constantly being monitored for policy violations. The continuous crawl in SharePoint also ensures the most up-to-date results are being queried.


How should you prepare for DLP? Before introducing it in your organization there is work to be done. You should consult with your Information Management and security teams to determine the security , IT, and handling controls in your organization and identify where DLP can help automate those controls. Based on your organization’s requirements, you may need to leverage search managed properties in your DLP policy conditions.

Thanks for reading.


One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.