The Definitive Guide to Office 365 DLP


What is Microsoft Office 365?

Office 365 is the “top” enterprise cloud application in the world with over 137 million commercial users contributing to nearly $25 Billion in cloud revenue for Microsoft. This includes Office (Word, Excel, PowerPoint), Exchange, SharePoint, Skype for business, and Microsoft for Teams. The following stats from McAfee highlight the need for Cloud Office 365 DLP:

  • 19% of employees use OneDrive for Business
  • 67% of companies with 100+ employees use Exchange online
  • 35% of enterprises moved to SharePoint
  • Skype for Business is healthcare’s primary communications platform

What is DLP or data loss prevention?

DLP or data loss prevention is simply the process of preventing the loss or theft of sensitive or confidential information or data, protecting data from sophisticated threats, without adversely impacting the collaboration and productivity of the teams. There are several steps to data loss prevention that your security team undertakes:

  1. Identify the assets that need protection,
  2. Define the appropriate security policies,
  3. Selects and deploys a vendor,
  4. Deploys the policies in active or passive mode,
  5. Lastly, actively monitors the system for policy enforcement

What is Office 365 DLP?

Office 365 DLP is about making data loss prevention work effectively in the Office 365 environment. This includes protecting sensitive data across all Office 365 products. It also includes defining and enforcing (role-based) access to sensitive data. And this article will provide a guide that will help you make the right choices. Your early choices will make it easy to deploy and maintain your Office 365 DLP environment.

Why this Guide?

In this guide, you understand the benefits and drawbacks of deploying a DLP system for Office 365. Additionally, you 1) Find a list of Office 365 DLP vendors; 2) Evaluate the pros and cons of cloud DLP or on-premise DLP for Office 365; 3) Find tips and recommendations for policy definition, setup, and enforcement; and 4) Calculate your 5-year cost of Office 365 DLP deployment.

After reading this guide, you’ll be ready to make your first decisions. You will be able to answer these questions:

  • Do you need Office 365 DLP?
  • Is the native Office 365 DLP suitable for your environment?
  • How do choose the right Office 365 DLP vendor?
  • Should you use endpoint DLP protection?
  • Is it enough to encrypt data-at-rest or data-in-motion?
  • Should you extend your current DLP to include Office 365?
  • Can you maintain policy consistency across your company?
  • How much does it cost?
  • What is Microsoft Intune and is it included in Office 365?
  • What is Cloud App Security and is it included in Office 365?
  • Can I apply Office 365 DLP on Skype for Business?
  • And, learn some tips on Office 365 security

In this article you will find:

  1. Benefits
  2. Drawbacks
  3. Preparation & Costs
  4. Ongoing maintenance & incident response
  5. Choosing the right vendor
  6. Summary
  7. Other Security Tips


Benefits and reasons for Office 365 DLP

Network DLP data loss prevention

Prevent data breaches

Data breaches happen at an increasing rate. Bitdefender reports that 34% of the companies were breached. And 67% of these breached companies pay $124K to avoid public shaming. Your company plans to migrate to the Office 365 solution. A DLP solution is necessary to prevent data breaches and avoid negative media headlines.

67% of breached companies pay $124K to avoid public shaming

Prevent sensitive data from being shared with unauthorized users

As a part of Office 365, Microsoft Graph provides a set of APIs that enable real-time policy enforcement. This policy enforcement covers all users and devices including BYOD. Policies could be enforced for users based on user groups, titles, specific individual privileged users, or users outside the enterprise. Policies could also be enforced by the type of sensitive data. For example, you may enforce a policy to prevent a specific type of sensitive data to be shared only with C-level executives within the company, implying that any other user will be prevented from receiving this sensitive data from the C-level executives.

Role based access to sensitive data is required to prevent business email compromise.

Prevent high-value data from being uploaded to the cloud

Microsoft Graph and Office 365 provide a comprehensive set of APIs that enable real-time policy enforcement. This policy enforcement covers specific assets or type of assets, for example high-value information such as efficacy data for a pharma company or intellectual property for a technology company. Policies could be enforced for all users to prevent this specific type of high-value data from being uploaded onto the Office 365 cloud.

Enforce policies to prevent highly sensitive or privileged data from being uploaded to cloud

Meet compliance requirements as data moves to the cloud

Office 365 provides a comprehensive ability to manage security, compliance, and data governance. A DLP implementation will further provide regulatory compliance, such as HIPAA (PHI – Personal Health Information), PCI-DSS (Payment card information), and several other regulations that cover PII (Personally identifiable information). Further new regulations such as CCPA (California Consumer Privacy Act) require adequate data security to prevent data breaches. While Office 365 provides an ability to encrypt data migrating to the cloud or at-rest in the cloud, a DLP prevents data exfiltration resulting from a compromised or malicious user.

Centralize data governance, risk, and compliance to adapt to new regulations such as CCPA

Detect insider threats and business email compromise

Office 365 DLP will provide the necessary additional defense to detect ex-filtration of highly valuable data by malicious users and compromised users. Office 365 provides comprehensive user authentication including multi-factor authentication. While enabling multi-factor authentication is sufficient to provide additional defense to gain access to privileged accounts, password usability is still a factor. Privileged users could be a target for spear-phishing. Malicious users could ex-filtrate highly valuable data. Office 365 Data Loss Prevention provides the necessary defense to prevent such data theft.

Automate remediation action

Depending on the policies you deploy, remediation actions may include either passive or active remediation. And, Office 365 DLP may provide a way to automate remediation enabling your security team to focus on exception-based alert processing. Leveraging remediation work-flow drives efficiencies and saves money. Remediation actions may include:

  • Block data or file upload
  • Block new file creation
  • Send email notification to the user
  • Quarantine file
  • Coach users regarding appropriate policies on sensitive information

Drawbacks of Office 365 DLP

Some CSOs and CISO are not fully onboard with Office 365 Data Loss Prevention. The biggest complaints are about deployment complexity and false positives. The main reason could the challenges and issues faced by these CSOs and CISOs in their enterprise DLP deployments. Often cited reasons for poor DLP performance are:

  • Educating the users across the company to do data tagging and classification is extremely challenging
  • Need better tools to automate the process of data classification
  • Metadata is not the end all and means all for classification
  • The ultimate goal would be enterprise data flow management

Complexity of deployment

The Office 365 DLP system is a business solution. It should not be considered as a technology product that is the panacea to all evils. After your company decides to deploy the Office 365 DLP, the work to make it effective really begins. You need to know where your assets are, determine which data is valuable and classify your data, define data protection policies, and refine them based on your threat vectors. Your organization is likely to move over 1 TB of data each month to OneDrive, SharePoint online. More adoption implies more data, and analyzing this volume of data each month for sensitivity is complex and expensive.

A solution to overcome this is to evaluate vendor products for real-time, sensitive data classification. Ability to auto-classify newly created data must be in your vendor evaluation.

False Positives

Office 365 DLP is likely to provide a mechanism for the user to tag a specific DLP action as inappropriate and trigger a false positive report – either for the individual’s ability to use sensitive data or incorrect classification of the data. This requires a security admin to investigate, engage the user and potentially re-classify the data. This is an expensive and time-consuming process. Given the scale of adoption, and data movement to the cloud, this could be a burden on your security budget. If you lower the threshold of sensitivity, then you are likely creating a false sense of security deploying Office 365 DLP system.

A solution to overcome this is to evaluate vendor products for accuracy of classification of your specific data. Lookout for the ability to automate policies by users’ roles.

Pricing and Cost of DLP

Office 365 DLP is natively available from Microsoft. However, the native Data Loss Prevention solution Data Loss Prevention solution is available only in Office 365 Enterprise E3 or higher bundle which requires annual commitment and near $20 per user per month. Office 365 DLP is also available with API integrations from several other vendors including McAfee, Symantec, Netskope, Digital Guardian, Forcepoint, Essert, and several other vendors. Typical pricing from these vendors specifically for Office 365 ranges from $2 to $4 per user per month with likely annual commitments. While the annual licensing costs may not be burdensome on your budget, you need to evaluate vendor pricing for day 2 operational costs including cost per incident, cost of policy changes, cost of data discovery and classification, among others.

Calculate your CAPEX and OPEX costs (see below). Evaluate DLP-as-a-service option. Evaluate the possibility of a less expensive package for Office 365. Pricing choices are confusing. Take time to evaluate.

Language support

Office 365 is widely used around the world. While the sensitive classification of structured data is widely available, there is a limitation of sensitive classification of natural language and unstructured data occurring in Word, PowerPoint, PDF, and Excel documents. As a result, the wide adoption of Office 365 DLP for unstructured data is a major drawback or limitation in the deployment of Office 365 DLP.

Most DLP vendors provide an ability to classify structured data patterns. Check for vendors who have the ability to classify unstructured data in multiple languages.

Preparation for Office 365 DLP

Preparation is the most important part of Office 365 DLP deployment. First let’s review some deployment scenarios, and identify specific areas of ex-filtration of sensitive data either accidentally or maliciously.

Proper prior preparation prevents piss poor performance.

British Army

What is data loss prevention (DLP)?

Data loss prevention (DLP) is a set of tools, and business processes designed to prevent any loss, theft, misuse, or unauthorized access to sensitive information. A DLP inspects data or information and takes appropriate remediation (block, report, or allow). The data may be in-motion or at-rest. It may be on an endpoint, or within your network. Users collaborate and likely share sensitive data internally or externally.  Shared data may be public, confidential, sensitive, highly sensitive, or privileged. You may store the data on-premise, in the cloud, or a 3rd party service. The data may be regulated under HIPAA, PCI-DSS, CCPA, GDPR, GLBA, FCRA, or DPPA depending on your company and industry you operate in.

What are your business needs?

Applying DLP across everything and everywhere is expensive. Avoid applying DLP across your entire enterprise as your initial DLP deployment. Start your DLP deployment with Office 365. Further, focus on high-risk teams or users. These high-risk users are likely to have access to highly sensitive or privileged data.

Start Office 365 DLP deployment with a few high-risk users.

  1. Impact on day-to-day business: Be clear. Set user expectations. Will this new DLP deployment substantially change the way users interact with data and applications? Ensure that your DLP deployment does not severely impact critical business functions such as collaboration, customer engagement, critical projects, and the like.
  2. Endpoint protection and/or Network DLP: You should seriously consider endpoint DLP protection along with your Office 365 DLP. Office 365 does not provide native endpoint DLP protection. Check out this list of vendors for End Point Protection. However, you may consider Microsoft Intune that is likely bundled with your Office 365 Business package. It is unclear if Microsoft Intune and Office 365 DLP policies are consistently synced. Do may plan to deploy network DLP along with Office 365 DLP? You may consider a network DLP at a later stage. Office 365 DLP vendors also offer network DLP and CASB functionality.
  3. Impact on performance: Performance is a likely consideration. If you deploy an endpoint Data Loss Prevention protection, this could have a noticeable impact on your users. Most network DLPs require expensive data discovery that has a performance impact. However, this performance impact may be limited or manageable.
  4. Reliability of Office 365 DLP: As part of your business requirements you must consider your reliability policy. Do you support a fail-open or fail-close policy? Fail-open would mean that if your Office 365 DLP fails then all traffic is allowed without the DLP inspection. Fail-close would mean that if your Office 365 DLP fails then all traffic is disallowed. We strongly recommend a fail-open approach. We are unable to find a way to configure native Office 365 DLP for fail-open.
  5. Secure your sensitive data: Do you already encrypt all or most of your data at rest? We recommend this as the first major step if securing your sensitive data is critical for your business. Consider encrypting your Office 365 environment. Beyond encryption, Office 365 DLP should still be a major consideration for sensitive data as part of your data access, and collaboration. Define 3-5 levels of sensitivity and classify your data beyond compliance. See below for sensitive data.
  6. DLP incident management: Security incident management and DLP incident management should be treated differently. Because security incident management is broader and requires a broad response. DLP incident management is focused on a specific type of incident and is likely limited to a specific user. Office 365 DLP incidents are likely to increase dramatically with use. Your company may need help. Create a workflow. Identify the appropriate human resources to address these incidents. Prioritize your DLP incidents by severity or user groups. For example, highly sensitive data and executive users get higher priority. Your goals for DLP incident management should be a smooth business operation and security policy compliance.

What is sensitive information or data?

Sensitive information or data is such information that needs to be safeguarded. The purpose of safeguard could be privacy, security, competitive threat, regulatory compliance, risk of lawsuits, or a combination thereof. Sensitive information could be broadly classified as personal information, business information (very broad), intellectual property, and restricted or highly classified information. You may find additional sensitive data definitions here.

The native Microsoft Office 365 DLP provides a template for sensitive information definition. You may review this here. The built-in Office 365 DLP applies 87 built-in types of sensitive information such as credit card numbers, and other personally identifiable information. You may customize the built-in types of sensitive information.

Most Office 365 DLP vendors provide templates for data classification based on multiple different compliance requirements. You may choose one or many of these classifications for your specific needs. Creating new or custom sensitive types and deploying them based on your enterprise requirements is a difficult, and expensive process. It may also be ineffective and time-consuming process.

Sensitive information classification could be another reason to evaluate native Office 365 DLP vs. 3rd party vendor Office 365 DLP. If the 87 built-in types of sensitive information are sufficient for your business needs, then native Office 365 DLP could be a good choice for your initial DLP deployment.

Evaluate native Office 365 DLP based on the 87 built-in types of sensitive data.

What are sensitivity labels in Office 365?

Sensitive information or data is different from sensitivity labels in Office 365. A sensitivity label is a type of sensitivity that is afforded the type of sensitive data. A sensitivity label is applied to classify and protect your sensitive data. Typical DLP systems have up to 5 sensitivity labels. Systems deployed in government or defense are likely to have up to 22 sensitivity labels. The native Office 365 DLP has 4 predefined sensitivity labels: 1) Public, 2) General, 3) Confidential, and 4) Highly confidential. In Office 365 sensitivity labels are used for multiple purposes.

  1. Encrypt or watermark content with the sensitivity label
  2. Protect content on endpoints using Microsoft Intune
  3. Use it with Microsoft Cloud App Security (CASB) with 3rd party web apps

For more uses of sensitivity labels please refer here. Office 365 provides an ability to define new labels or sub-labels. And you may apply these labels automatically to all your content. Consider the automatic application of sensitivity labels as vendor evaluation criteria.

What is DLP policy in Office 365?

Office 365 Data Loss Prevention policy puts it all together. A policy includes the following parts:

  1. Applications: Office 365 DLP supports Exchange Online, SharePoint, OneDrive, Teams, Skype for Business, and all Office products. Refer here for plans that support native Office 365 DLP.
  2. Groups: For each application, you may include or exclude certain groups, sites or accounts.
  3. Rules: One or more rules could be included in each policy. For each rule conditions and actions are automated.

You can find more details about Office 365 DLP policy here. However, let’s simplify all of this from the perspective of your business. Let’s consider role-based data access, data flow, and enforcement. In practice:

  1. Users and Groups: You active directory has users and groups. A user may belong to multiple groups. Multiple users may belong in one group. Of course, your Office 365 DLP deployment should not dictate changes to your organizational user and group policies. You may consider new groups based on security policies.
  2. Non-actors and outside users: A non-actor is a machine or an unknown actor in the network. In the Office 365 environment, it may be unlikely to have unknown actors. You may consider creating a group of non-actors to enforce security policies mainly for highly sensitive data. Outsider users are clearly users that may be required to receive sensitive data. You may consider a group of outside users for your security policies.
  3. Titles and organizational changes: Changes to the organizational structure are common and often. Promotions, new hires, lateral transfers, and exits are common. This requires your day 2 operational capability to consider collaboration and sensitive data access. This is a moving target.
  4. New data creation: A lot of data is created by your company. It is constantly shared. Running data classification on newly created data is expensive and time-consuming. Automation and in-line classification is the way to go. While infrequent, this could also include new types of sensitive data or new sensitivity labels.
  5. Actions and notifications: Remediation can be in the form of blocking, blocking with or without notification, blocking file creation, user notification, quarantine, or coach users. Actions and notifications may also include a work-flow. A DLP workflow could be a user override. Another work-flow could be a user override combined with a manager or security analyst override.
  6. Sensitive data type: Each sensitive data may have a different remediation action. Access to a different type of sensitive information may be granularly defined for enhanced collaboration.

You need to first consider the DLP policies you are likely to deploy based on your specific needs.

The native Office 365 DLP provides DLP policy template. However, blindly deploying these templates could create more issues than solve them.

Office 365 DLP

Source: SherWeb Blog

Here are two examples of how DLP policies work in Office 365. Office desktop programs such as Excel, Word, and PowerPoint have the capabilities to identify sensitive information and apply DLP policies. These apps use the same central DLP policies and automatically classify the content and apply the respective policies. Once the DLP policies are turned on for Microsoft Teams, when a user shares sensitive data against a DLP policy, the chat message is either blocked or appropriate remediation is shown to the user.

Native Office 365 DLP templates

Office 365 delivers over 40 DLP policy templates that are easy to deploy. These include policy templates for GDPR, HIPAA, PII data, data breach notification laws, GLBA, and more. Each policy template includes the name of the rule, type of sensitive information, condition related to sharing of such sensitive information, and finally the action that is required to be done.

Office 365 DLP template includes regulation name, conditions of sharing, and action taken.

These templates may help with faster deployment for your immediate compliance needs. Implies against these policies sensitive information shared across all Office Apps is auto-detection and action taken based on the specific policy.

How much does it cost?

In the case of Equifax, the cost of the data breach was $439 Million. Your company could suffer substantial legal costs, loss of brand value, and more. For a company with $100 Million in revenue, the cost of a breach could be near $10-15 Million. For your Office 365 DLP, the overall cost of prevention is an obvious concern. Any investment in your Office 365 DLP should consider the following:

  1. Software licensing
  2. Setup, configuration, and installation
  3. Ongoing maintenance and incident response

Software licensing costs: Software licensing costs are fees to acquire a license for use of the software. Today, software-as-a-service is a more popular option for most software. There are two elements to the software-as-a-service model. One element is subscription fees. Another element is hosted or on-premise deployment.  Most 3rd party Office 365 DLP vendors offer a subscription fee model on per user basis. Office 365 is a hosted deployment. 3rd party Office 365 DLP vendors offer a hosted deployment and a few offer the option of an on-premise deployment. To compare software licensing costs it is best to compare based on the table below.

Office 365 E1Office 365 E3Office 365 E5Office 365 E1 with
3rd Party DLP
$ 8.00$ 20.00$ 35.00$ 10.00
Office apps, Email,
OneDrive, SharePoint,
Teams, Yammer,
Skype for Business…
+ Desktop versions + DLP
+ message encryption
+ rights management
+ Unlimited everything
+ Threat protection + BI
+ Cloud PBX …
E1 features
+ 3rd party vendor DLP

source: Microsoft partners (estimated pricing only)

Office 365 DLP subscription costs must factor the subscription costs of Office 365. Typically Microsoft partners offer custom Office 365 packages and pricing. For example, CDW offers Office 365 Enterprise ProPlus package for $11.52 which includes a full suite of Office apps, app management, and more. For a 1000 user environment, you could potentially save $120K to $400K. Evaluate any vendor Office 365 DLP based on your Office Apps requirements.

Setup, configuration, and installation: In the case of native Office 365 DLP deployment, setup, configuration, and installation services are provided by Microsoft partners. Engaging in a self-service model for this module could imply hiring the right person, training costs, policy definition costs, and more.

 Native Office 365 DLP self-service Native Office 365 DLP partner services 3rd Party Vendor Office 365 DLP
Training (3rd party)~ $10,000$ 0$ 0
Setup policy definition$ 24,000$ 12,000$ 10,000
Time to define policy4 weeks +2-3 weeks2 weeks
Configuration$ 12,000$ 3,600$ 1,800
Time to configure2 weeks +2-3 days1-2 days
Installation$ 6,000$ 3,600$ 1,800
Time to configure1 weeks +2-3 days1-2 days
Total estimate$ 52,000$ 19,200$ 13,600
Total est time6-8 weeks2-4 weeks2-3 weeks

*Hourly rate of $150 is considered for calculation

Ongoing management and incident response: If you use native Office 365 DLP or you use a vendor DLP, the ongoing maintenance and incident response is similar. We recommend a turn-key managed service option or a DLP as a service option. This option is suitable for companies with under 5000 employees. For ongoing management and incident response, consider incident-based pricing. This is often difficult to predict budget item. A company with under 5000 employees can expect 100-500 incidents a month. Preparation and user coaching is critical to keep this number low. The following issues must be considered to identify the annual cost of management and incident response.

  • Number of users using Office 365
  • The breadth of sensitive data types (beyond 87 types?)
  • Business process exceptions
  • Ability to weed out false positives

These issues will determine the number of incidents reported by your DLP deployment. Incident management is discussed below. These above issues are difficult to quantify both the likely number of incidents and complexity of incidents. On average, each incident resolution takes up to 60 minutes. For a 1000 user deployment, our estimate is an annual cost of $80,000. And, this assumes 100+ incidents per month.

For pricing and budgeting, we recommend the following:

  1. 3rd party Office 365 DLP (more features, more data types, potentially less false positives)
  2. Fixed price 3rd party setup, configuration, and installation
  3. A managed security service provider ex: $5,000 per month for 100 incidents a month + $50 per incident thereafter

Ongoing maintenance and DLP incident response

Initial setup, configuration, and deployment may be simple or complex depending on your business requirements. However, ongoing maintenance and incident response is complex. The complexity depends on a number of users, breadth of your sensitive data, business process exception, and ability to weed out false positives. As part of your day 2 operations, you need to do the following:

  • Ensure smooth business operations
  • Compliance of security policies
  • New policy creation (create, test, deploy)
  • Policy tuning (tune, test, deploy)
  • 24/7 monitoring of incidents, and escalation
  • Reporting
  • Learn and improve security posture

Microsoft provides 365 Security Center. We recommend that you create your own DLP specific dashboard based on the widgets provided by the 365 Security Center. You may create your custom alert policies and fine tune these alert policies for compliance. 3rd party Office 365 DLPs provide central security console. Additionally, you may also use SIEMs.

Office 365 DLP
Microsoft Office 365 Security Center

Source: Microsoft Corporation

Using 3rd party Office 365 DLP solution will be as simple or complex as the native solution. It is more likely that 3rd party solution have a larger ecosystem and partner base. You may find more effectiveness with 3rd party solutions. They are likely to provide training, operational support, and services needed for your day 2 operations.

Policy tuning, creation, testing, and deployment

Deploying a native or 3rd party Office 365 DLP is simple for a trained security technician. You may find several step-by-step configuration and deployment blogs. Here is a good list of them for native Office 365 DLP:

While policy creation may be simple. But, you need to test your policies in a sandbox environment before deployment. To test these policies in a sandbox environment, we need test data. This is a difficult and time-consuming task. You may license 3rd party test data. Or you may create your own test data for your specific business needs. The level of difficulty for new policy deployment is very high. You must ensure that your new policy does not create a lot of false positives. The trick to keeping low false positives is accurate test data and testing. After testing, deploy in a silent or observe mode before turning on more strict actions.

Choose a 3rd party Office 365 DLP solution. Depending on your budget, this may allow you to find the partners. Your partners will help with the initial policy setup and configuration. Your partners are also likely to provide ongoing policy help with changes in the regulations. For example, new upcoming privacy regulations such as CCPA will likely require new policy changes. Partners will help find the expertise needed to create policies across jurisdictions, and comply with multiple regulations in a more effective manner.

How to choose the right Office 365 DLP vendor?

Your business requirements will drive your vendor choice. The effectiveness of the right vendor for your business requirements can only be judged when you deploy a proof of concept.

We suggest that you consider the following vendors for your Office 365 DLP.

  1. Essert
  2. McAfee (SkyHighNetworks)
  3. Symantec (BlueCoat/Elastica)
  4. ForcePoint (Skyfence)
  5. DigitalGuardian
  6. Netskope
  7. BitGlass
  8. Office 365 Native DLP

In order to effectively evaluate 3rd party Office 365 DLP vendors, you need to consider one or more of these criteria.

Sensitive data

List your data by 5 sensitivity levels. We recommend sensitivity levels such as public, confidential, sensitive, highly sensitive data, and privileged. Evaluate your DLP vendors to have these levels of classification. Alternately, your vendor should have the capabilities to define custom classification based on your need.

Essential feature: Custom data classification

Data types

Nearly all DLP vendors provide the ability to recognize multiple data types. Office 365 DLP recognizes 87 types of data. Several other DLP vendors have pre-built ways to recognize nearly 3000 data types. Nearly all of these are structured data types. Do you have any specialized data types? For example, if you are a pharmaceutical company, your efficacy data will have to be the highest sensitivity – privileged. Evaluate your DLP vendors to identify and classify your custom sensitive data.

Essential feature: Comprehensive built-in data types

Data Flow

Data flow means business process flow. For smooth business operations, the flow of data is critical. Data flow starts with data access. You must evaluate DLP vendors for role-based access to data. Most DLP vendors do not provide role-based data access. Alternately evaluate DLP vendors for role-based data flow. This could be done by evaluating if the DLP vendor has the ability to inspect data flow based on the following matrix.

From WhomData SensitivityOffice365 AppTo WhomAction
Public data
Highly sensitive
Office Apps
Skype Business
External Users
Block (report)
Allow + report

Does your business need this granular control of sensitive data flow? For example, should the VP of finance have the capability to upload privileged information, in case of pharma efficacy data, to OneDrive? The mechanisms and importance of role-based data access, data flow, and the ability to take action based on the type of data sensitivity is a subject for another article. We expect to write this in the near future.

Essential feature for CCPA and GDPR compliance: Role based data flow

DLP by Microsoft Graph API

Microsoft Graph API is simple. Once the API integration is complete, any 3rd party vendor must test the integration across all the Office 365 Apps including Exchange Online, desktop & online Office Apps, OneDrive, SharePoint, Teams, and Skype Business. Evaluate your DLP vendors and test specific Office 365 Apps for your use. Alternately, your vendor should provide you a report of what is tested and list use cases they tested. We recommend only vendors with API integration. The benefits of Office 365 DLP API integration including avoiding setting up endpoint protection, avoid proxy, and avoid restricting access from unknown IP addresses.

Essential feature: DLP fully integrated with Microsoft Office 365 API

Active (inline) vs. Passive (Log-based) DLP

Active data loss prevention vs. passive monitoring for data protection are two distinctly different approaches. Office 365 DLP is meant to monitor, detect, and block sensitive data at rest, or in motion. Most Office 365 DLPs provide active and inline ability to protect sensitive data based on appropriate policies. However, depending on your business requirements you may simply be looking for a passive monitoring solution. A passive monitoring solution mirrors traffic and provides deep visibility. A few experts recommend passive monitoring solutions. A passive solution avoids the pitfall of DLP such as too many alerts, length rollout, false positive, false negatives, and more. However, beware that a passive solution cannot prevent any data breach it simply notifies you after the breach has occurred. We recommend an active Office 365 DLP solution.

Essential feature: Active Office 365 DLP solution

Management and Reporting

Management, alerts, alert thresholds, and reporting is a key criterion for 3rd party vendor selection. Most vendors meet these criteria, and the difference would be to understand how they can support you with your specific alerts, and reporting. Alerts are an important part of a DLP system deployment. Better alerts will reduce your need for 24/7 monitoring and will help with exception based incident response. This delivers on cost savings on your day 2 operational budget.

Good to have feature: SIEM integration

Single system vs. multiple components – implies costs

Traditional network DLP systems have multiple moving parts. Selecting a 3rd party vendor for your Office 365 DLP would imply that it is time to ensure that your costs can be managed downstream. There are three big cost factors in deploying a DLP system as discussed earlier. Several DLP vendors use a multi-component deployment. Find a single system that delivers all the necessary functionality. Several DLP vendors require you to do initial data discovery. Find a system that reduces this effort substantially while maintaining high efficiency in sensitive data detection.

Essential feature: One throat to choke or one system to manage

Time to deploy

Time to deploy is indeed a major consideration. Many 3rd party DLP vendors are known to take anywhere between 6 months to 18 months for a full Data Loss Protection deployment. The more time it takes implies the bigger the budget you need. Find a system that is faster to deploy without substantially impacting its effectiveness. Evaluate 3rd party Office 365 DLP vendors on their speed of initial deployment. Set expectations of 1-4 weeks for initial fairly effective deployment.

Good to have feature: Out of the box deployment

Migration to Office 365 DLP

This is simple. Is evaluation ease of migration critical for you? It implies that you already have a network DLP or CASB or a combination of these products already deployed. It is likely that your current vendor has integration with Office 365 DLP APIs. Congratulations! You did not need to read this entire article. Now that you have read so far, we recommend that you consider another vendor to judge the effectiveness of your current solution.

Essential feature: Current DLP should have Office 365 API integration

Costs and Pricing

Last but not least, your initial costs and your operational costs may potentially outweigh all your business requirements. Evaluate 3rd party Office 365 DLP vendors and compare with your overall Office 365 costs. Compare your current DLP costs vs. your extended Office 365 DLP costs. You may not want to pay twice for the same functionality or manage two different systems. Or it may be time for you to reconsider your current DLP system.


In summary, native Office 365 DLP is limited in its capabilities. However, this may be sufficient for your business. There are several 3rd party Office 365 DLP options. Primarily, established CASB (cloud access service brokers) vendors have fully integrated with Microsoft Graph APIs to deliver active Office 365 DLP. The licensing costs may be comparable to free native Office 365 DLP. We recommend the following:

  1. First, identify your needs and inventory your sensitive, highly sensitive and privileged data
  2. Communicate your goals clearly and define your team’s responsibilities
  3. Evaluate and select a 3rd party Office 365 DLP system
  4. Subscription cost per user likely between $2-$4 per month
  5. Clearly define your Office 365 policies consistent with your current DLP policies
  6. Coach your teams on the policy on sharing sensitive data in the cloud
  7. Restrict external sharing to whitelisted domains only
  8. Have a policy on whitelisting domains of customers, partners, and suppliers
  9. Block sharing or uploading of privileged data on Office 365 cloud
  10. Build and deploy consistent policies across Office 365 and other cloud services

More on Essert Office 365 DLP

Security Tips for Office 365

Security experts know that security is not a point solution. The following is a list of some important security tips to further fortify your sensitive data in Office 365.

  1. Deploy multi-factor authentication, including MFA for administrator accounts
  2. Migrate legacy authentication to multi-factor authentication
  3. Enable unified auditing in the security compliance center
  4. Turn on password sync
  5. Setup encryption of all your data-at-rest
  6. Use anti-phishing protection
  7. Provide security awareness training for your users and administrators

More information on preventing data breaches

Learn about our Office 365 DLP

Complete guide to Office 365 DLP