Enabling Data Loss Prevention, Azure Information Protection and more in Microsoft 365 Business

Published 10-19-2018 11:04 AM 10.8K Views


Earlier this year, we announced several advanced security features coming to Microsoft 365 Business to help protect businesses from an increasingly complex cyberthreat landscape and safeguard their sensitive information from unintentional data leaks.


You can now enable features like Data Loss Prevention, Azure Information Protection, Advanced Threat Protection as described in this support article.


If you’ve always wondered what security features you should enable to protect against external cyber threats, we’ve also outlined the Top 10 ways to secure your environment from cyber threats using  Microsoft 365 Business. This helps provide a quick, recommended list of security tasks to undertake along with instructions on how do to enable these features.



Occasional Contributor

Hi Ashanka,


A lot of my SMB's that I demo Windows Defender ATP to love the protect right up until they see they need an E5 license. Is there any chance that M365 Business can have an Option to purchase Windows ATP? Most of the feed back from my clients has been that while they are sub 300 having a bolt would be great, once they are greater than  300 then they would most likely commit to an E5.




Dear all, I'm looking for a DLP use case based on AIP confidential tagging: any example? thanks

Occasional Contributor

Hey Valerie,


Not sure what you're after, did you want a example of when\why to use DLP, or examples of Labels and supporting policies?




Hi @valerie utges,


You can use DLP work with AIP labels.  If you need to manually configure Exchange DLP, or a 3rd party DLP scanner that does not have native AIP integration, the key is to scan for this text:  MSIP_Label_<GUID>_Enabled=True


You'll need to replace <GUID> with the Label_ID guid from the AIP label you're searching for.  This is shown in AIP after the label is created.  Here's an example for my demo tenant's Confidential/All Employees label, where the guid is:  




DLP policies could then be configured to identify emails or documents containing the text: MSIP_Label_629dc3ac-05ac-4032-bc5b-3f95ac306ac3_Enabled=True 


Hope that helps!



Hi @David Bjurman-Birr

thanks for the reply! I've run some cases with labels. Now I'm facing another issue with sensitive info case regex: it's matching (user notification) but I'm not receiving any report at the emails I've put in the policy...any clue?

thanks again



Hi @valerie utges,


If you post more detail so that I can better understand exactly what you're trying to do and/or recreate your policy and reproduce the problem, I can probably help figure it out.



Are you having trouble with a DLP policy in Security and Compliance center?


If so, it's important to know that DLP works differently based on workload (Location).  For example, when using Exchange Online DLP is invoked upon message submission (when you press send) so actions related to policy matches (such as a policy tip) occur right away.  For files in OneDrive or SharePoint, it works a bit differently.  DLP is invoked when the crawler indexes content (some minutes after the file is saved) so actions related to policy matches are delayed.


If you want help troubleshooting a specific policy or setting, please send enough detail so that I can recreate your policy in my demo tenant and I'll see what I can do.





Hi !


I noticed that the DLP Policy is working after 3-5 minutes after an update. So if I test the new policy immediately after updating it, it doesn't work. Can anyone confirm this latency ?

And in the mail (report to an admin that a user sent a mail that matches a DLP policy), the entire mail of the user is joint to the report, including any joint files. Is there any possibility to configure to only report the matched rule in the report mail, but not the mail nor the joint file (for personal data protection, GDPR...) ?

Finally, is the system really working ? I test many configurations, but now, my rule doesn't work anymore. It used to work 4 days ago, I deactivated the DLP policy by the end of the day, and today, I reactivate it, but the mail (with content matching the sensitive data in the body of the mail or in an attached file) is sent anyway and no report mail is received by the administrator...


Thank you !

Version history
Last update:
‎Oct 19 2018 11:05 AM
Updated by: