DLP in Exchange Online
Understanding the Concept
Exchange Online DLP evaluates email content (body and attachments) before delivery. It can block, redirect, or modify emails containing sensitive data.
Policy tips appear in Outlook as users compose emails, providing real-time feedback before they hit send. This educates users and prevents violations proactively.
Mail flow rules can complement DLP: adding disclaimers, requiring TLS encryption, or journaling matches. DLP and mail flow work together for comprehensive email protection.
Key Points
- Pre-Send Evaluation: Policy tips in Outlook before sending
- Attachment Scanning: All attachments scanned including nested
- Block Actions: Reject, bounce, or hold for review
- Redirect: Send to compliance mailbox for review
- Notification: Alert sender, recipient, admin
Exchange DLP Flow
Compose
User composes email with sensitive content
Policy Tip
Real-time policy tip shown in Outlook
Send
User sends (may override or provide justification)
Transport Scan
Message scanned in transport pipeline
Action
Block, redirect, modify, or allow based on policy
Delivery
Message delivered (or bounced/held)
Why This Matters in Real Organizations
Email remains the primary vector for data leakage. Policy tips educate users before violations occur, while transport rules catch what policy tips miss. This dual protection significantly reduces email-based data loss.
Common Mistakes to Avoid
Interview Tips
- Explain the dual layer (policy tips + transport)
- Discuss the user experience
- Mention override and justification workflows
Exam Tips (SC-401)
- Know which actions require transport rules vs DLP
- Understand policy tip availability across clients
- Know attachment scanning capabilities
Course Complete!
You've finished all lessons