Why your DLP policy isn’t DLP (and how to fix it in Microsoft 365)

image

Most SMBs think they’ve “done DLP” because they ticked a box in Exchange.

They scan outbound email.

They block the occasional credit card number.

They call it done.

That’s not DLP. That’s transport filtering.

Real data loss doesn’t just leave through email anymore. It walks out via USB, clipboard, browser uploads, and users who don’t realise they’re doing anything wrong.

If you’re only protecting email, you’re protecting yesterday’s risk.

The shift is simple: stop thinking about where data leaves, and start thinking about where data lives and how it’s used.

What is Microsoft Purview DLP, really?

At its core, Microsoft Purview DLP is a policy engine that watches how sensitive data is used and shared, then steps in when it shouldn’t be.

Not just email. Not just files.

Behaviour.

It looks across Microsoft 365 — Exchange, SharePoint, Teams — and now endpoint devices as well.

That matters.

Exchange DLP scans emails and attachments and enforces actions.
Endpoint DLP extends this to USB copies, printing, clipboard, and uploads.

“We’ve got DLP on email, so we’re covered.”

No, you’ve just moved the problem somewhere else.

Data will always find another path out.

Step-by-Step: building a real DLP policy (Exchange + endpoint)
1. Go to the Purview portal

Navigate to Data loss prevention → Policies → Create policy.

2. Choose your locations

Select Exchange Online and Devices.

3. Define what matters

Use built-in sensitive information types and add context like external recipients.

4. Choose actions that teach

Warn, block, or allow override with justification.

5. Turn on endpoint coverage

Monitor and control how sensitive data is used directly on devices.

User copies sensitive file to USB → Block
User uploads to personal cloud → Block
User tries to email externally → Warn or encrypt

Notice what’s missing?
Separate tools.

Why this actually changes behaviour

Most security controls are reactive.

DLP — when done right — isn’t.

It works in the moment.

That’s the real win.

Instead of cleaning up incidents, you prevent them.

And you educate users while they work.

“Why did that get blocked?”

Now you’ve got a conversation instead of a breach.

My recommendation?

Start with one policy that covers Exchange and Endpoints. Run in audit mode. Then enforce.

Security doesn’t fail at the perimeter anymore. It fails in the moment of use.

DLP isn’t there to watch data leave.
It’s there to stop it leaving in the first place.

Sensitivity labels and auto-labelling: put a name on your data

MAI_e1bc506c74b669dd

Most people meet sensitivity labels the wrong way.

They see encryption and Purview and compliance in the same sentence and decide it’s an enterprise problem. Something for banks. Something that needs E5, a consultant, and six months.

So they leave the whole thing switched off.

Then a client emails a payroll spreadsheet to the wrong “David” in the address book, and it becomes very much their problem.

Here’s what I want you to understand. A sensitivity label isn’t a lock. It’s a name tag you put on information so Microsoft 365 knows how to treat it — and most of the value shows up before you’ve encrypted a single file.

What are sensitivity labels, really?

A sensitivity label is a tag that travels with the content. Apply Confidential to a Word doc and that label rides along into SharePoint, OneDrive, Teams, and the email it’s attached to — even off your tenant, if you allow it.

What the label does is up to you. It can simply mark the document with a header, footer, or watermark. It can show a visual classification users notice. Or it can go further and encrypt the file so only the right people open it.

That range is the bit people miss. You don’t have to start with encryption. You can start with classification — and classification on its own changes how people handle a file.

Step-by-Step: build your first label

Everything lives in the Microsoft Purview portal at purview.microsoft.com, under Information Protection. Microsoft seeds new tenants with a default set, but build and publish your own so the names actually mean something to your client.

Turn on labels for files

Before a label will stick to documents in SharePoint and OneDrive, go to Settings > Information Protection and turn on co-authoring for files with sensitivity labels. Skip this and your labels won’t apply to files at rest. It catches everyone once.

Create the label

Under Information Protection > Sensitivity labels, select Create a label. Give it a name your users will understand, not a compliance codeword. Set the scope to Files and emails.

Decide what it does

Now choose protection. Content marking — a header, footer, or watermark — is the gentle option. Access control with encryption is the heavy one. For your first label, pick marking. You can add teeth later.

Publish it

A label nobody can see does nothing. Create a label policy, add your label, and publish it to a group of users. Now it shows up under the Sensitivity button in Word, Excel, PowerPoint, and Outlook.

That’s a working label. Manual, user-applied, and included with the sensitivity-label entitlement most of your Business Premium clients already hold.

Step-by-Step: let the tenant do the labelling

Manual labels rely on people remembering. People don’t. So the next step is auto-labelling — and this is where the licensing line sits, so be straight with clients.

Pick your method

There are two. Client-side auto-labelling prompts or applies a label while someone edits a document in Office. Service-side auto-labelling policies scan content already sitting in SharePoint and OneDrive, plus mail moving through Exchange, with no user involved at all.

Run it in simulation first

This is the setting that saves you. An auto-labelling policy runs in simulation mode — it shows you exactly what would get labelled across the tenant without touching a thing. My recommendation? Always simulate, read the matches, fix your conditions, then turn it on.

Mind the licence

Auto-labelling — both flavours — needs the E5-tier Information Protection entitlement, not the base Business Premium one. Manual labels are included. Automatic ones aren’t. Don’t promise a client auto-labelling on a licence that doesn’t carry it.

“So do I need encryption on everything?” No. Most of my labels never encrypt anything. They classify. Encryption is reserved for the one or two labels that genuinely need it.

Here’s a starter taxonomy worth copying:

Personal
Public
General
Confidential
Highly Confidential

Notice what’s missing? Encryption — on four of the five. The top label might lock files down. The rest just name the sensitivity so people, and the tenant, treat them accordingly. Classification first, control second.

Why this actually changes behaviour

A labelled file behaves differently. DLP policies can key off the label. Auto-labelling can find the credit-card numbers your user forgot were buried in an old quote. And both SharePoint and Copilot respect the access a label enforces — which matters more every month.

But the quiet win is human. When someone clicks Confidential and a watermark appears, they slow down. They think before they forward. The label is doing the teaching.

Set it up once. It keeps working while everyone’s asleep.

Sensitivity labels aren’t there to make compliance harder. They’re there to make a careless mistake hard to make by accident.

If you’re rolling out Microsoft 365 and your clients’ data still has no name on it — that’s the gap. Put a name on it.

Copilot audit logs in Purview

MAI_2605f2cb1b864cc1

Most people ask the wrong question about Copilot.

They ask “is it safe?” What they mean is “can it leak our stuff?” Fair worry. But it’s the wrong place to start.

The real question a client should be asking is “can you show me what Copilot has been doing?” Because if the answer is no, safe or not doesn’t matter. You’re flying blind.

Here’s the thing nobody tells you in the licensing pitch. Every Copilot interaction is already being recorded. You don’t have to buy anything. You don’t have to flip a switch. It’s been sitting in the unified audit log the whole time, waiting for someone to go look.

Most MSPs never do.

What is Copilot audit logging, really?

It’s the receipt for every conversation your users have with Copilot.

When someone asks Copilot in Word to summarise a document, or asks Copilot in Teams what they missed, that interaction writes a record into Microsoft Purview. Who did it. When. Which Copilot app. And — this is the part that matters — which files and resources Copilot reached into to answer.

This happens automatically as part of Audit (Standard), which is on by default for business tenants. If auditing is running, Copilot logging is running. Microsoft spells it out in the audit logs for Copilot and AI applications docs: no extra steps, no separate config.

That’s not a feature you enable. That’s a feature you’ve been ignoring.

Step-by-Step: finding Copilot activity in Purview
Open the Audit solution

Go to the Microsoft Purview portal at purview.microsoft.com, sign in, and pick Audit from the Solutions list on the left. If you’ve got the Audit Logs or View-Only Audit Logs role, you’ll land on the search page. If you don’t, that’s your first job — sort the permissions, per the search the audit log guidance.

Set your date range and activity

Pick a start and end date. Then in the activities filter, search for the Copilot record type.

RecordType: CopilotInteraction
Activity:   Interacted with Copilot

Notice what’s missing? No prompt text in that filter. The audit row tells you that a conversation happened and what files it touched — it doesn’t hand you the back-and-forth wording. That content lives elsewhere, retained for eDiscovery and Communication Compliance, not in the row you’re reading. Knowing that distinction is what separates someone who’s read the docs from someone who’s guessing.

Run the search and read the resources

Start the job. It keeps running even if you close the browser, and finished searches stick around for 30 days. Open a result and look at the AccessedResources field. That’s the gold. It shows the actual files Copilot pulled in to ground its answer.

This is where oversharing shows up. If Copilot is referencing a payroll spreadsheet for someone in the warehouse, you didn’t find a Copilot problem. You found a permissions problem Copilot just made visible.

Export when you need a paper trail

Push the results to CSV. Now you’ve got evidence, not anecdotes.

Why this actually changes the client conversation

Walk into a renewal with “Copilot is secure, trust me” and you sound like every other reseller.

Walk in with “here’s a report of every file Copilot accessed last quarter, and here are the three oversharing issues we caught and fixed” — that’s a different meeting. That’s you doing governance, not selling a licence.

“Wait, so I can actually prove Copilot isn’t quietly reading files it shouldn’t?”

Yes. And that single sentence is worth more to a nervous business owner than any feature slide.

One caveat worth knowing. Retention isn’t infinite and it isn’t equal. On most Business Premium tenants you’re looking at 180 days. On E5, key workloads stretch to a year, and you can build longer audit log retention policies if compliance demands it. If a client needs to answer “what happened nine months ago,” check the retention before you promise the answer exists.

This is the stuff cyber insurance forms ask about. It’s what SMB1001 and Essential Eight assessors want to see. Not “do you have Copilot.” But “can you account for what it did.”

Copilot doesn’t forget. Make sure you can read what it remembers.

If you’ve rolled Copilot out to a client and you can’t pull this report, you haven’t finished the rollout. You’ve just started the part nobody bothered to do.

DLP and Sensitivity Labels for SMBs: A Practical Copilot Readiness Playbook

image

Most SMB data protection projects fail for one reason: teams optimize the label taxonomy before fixing access control. That creates a “labeled mess” instead of a governed environment. In practical terms, a “Confidential” label cannot compensate for a SharePoint site still shared with broad legacy permissions.

A safer and faster implementation sequence is: Permissions cleanup -> Sensitivity labels -> DLP tuning -> Copilot enablement. This order aligns with real-world Copilot risk patterns, where oversharing is usually the primary exposure pathway.

The Category Error to Avoid

The common debate in SMB projects is “How many labels should we deploy?” (for example, 4 vs 8 vs 12). That is the wrong first question. The first technical question is: “Are current permissions precise enough for labels to have security meaning?”

If broad groups, stale sharing links, and inherited permissions still expose sensitive locations, adding more labels mostly increases administrative overhead and user confusion. Copilot does not create this condition, but it can reveal it quickly by making discoverable content easier to surface through natural language prompts.

Reference Architecture for SMB Tenants

Use a minimal, repeatable baseline that can be implemented and operated by small IT teams.

1. Permissions Layer (Foundational)
  • Identify and remove broad default access patterns (for example, “Everyone except external users” where inappropriate).

  • Review high-risk SharePoint and Teams locations first: HR, Finance, Leadership, M&A, Legal, payroll artifacts.

  • Remove stale members from privileged Microsoft 365 groups and Teams.

  • Expire or revoke old anonymous or org-wide links where business value no longer exists.

  • Document approved sharing patterns by site type (departmental, project, external collaboration).
2. Label Layer (Classification)

Start with a compact taxonomy, then expand only with evidence.

  • Public – content approved for unrestricted internal and external use.

  • Internal – default business content for internal sharing.

  • Confidential – restricted business-sensitive data.

  • Highly Confidential (optional) – strongest controls, often encryption-backed.

Keep label names plain and user-comprehensible. If users cannot predict where a label applies, adoption and accuracy collapse.

3. DLP Layer (Policy Enforcement)
  • Deploy DLP in audit mode first (recommended: 60 days).

  • Prioritize high-confidence detections first (payment card data, national identifiers, banking information).

  • Monitor policy hits weekly and triage false positives with business owners.

  • Move to staged enforcement with user notifications before hard blocking where possible.
4. Copilot Layer (Consumption)

Enable Copilot only after oversharing findings are remediated to an agreed threshold. Treat Copilot enablement as a controlled release with explicit go/no-go criteria, not a licensing event.

Why Copilot Changes the Risk Visibility Model

Traditional oversharing could remain hidden for years because users had to know exactly where to look. Copilot lowers search friction by translating intent into broad retrieval across accessible content. This can expose latent permission mistakes quickly.

Oversharing is best treated as an access-control debt problem, not a labeling deficiency.

In practical operations, Copilot acts like a continuous discovery mechanism for permissions debt. If the tenant is clean, Copilot is productive. If not, Copilot surfaces the debt immediately.

60-Day Implementation Runbook

Phase 0 (Week 0): Scope and Governance
  • Define data protection owner, security owner, and business escalation path.

  • Agree target controls and business exceptions process.

  • Set Copilot readiness criteria before technical work begins.
Phase 1 (Weeks 1-2): Permissions Remediation
  • Run oversharing assessment on SharePoint and Teams-connected sites.

  • Rank findings by impact: executive, financial, personal data, contractual data.

  • Remediate critical sites first and verify effective permissions after each change.

  • Capture exception approvals where broad sharing must remain.
Phase 2 (Weeks 2-3): Label Deployment
  • Publish 3-4 labels to a pilot user group.

  • Validate user understanding with short examples and FAQ guidance.

  • Adjust label descriptions and policy tooltips based on pilot confusion points.
Phase 3 (Weeks 3-8): DLP Audit Mode
  • Enable DLP in monitor-only mode.

  • Collect incidents and tune detection thresholds/rules weekly.

  • Present day-30 report to stakeholders with false-positive and true-positive analysis.

  • Issue day-45 enforcement impact notice to users and managers.
Phase 4 (Week 9+): Staged Enforcement and Copilot Rollout
  • Turn on enforcement for highest-confidence policies first.

  • Enable Copilot for low-risk pilot cohort.

  • Review user prompts/incidents for unintended access outcomes.

  • Expand rollout only when no critical oversharing regressions are detected.

Operational Metrics That Matter

Track leading indicators, not just policy counts.

  • Permissions hygiene: number of high-risk overshared sites before vs after remediation.

  • Classification adoption: percentage of newly created docs with valid user-applied labels.

  • DLP quality: true-positive to false-positive ratio per policy.

  • Readiness confidence: unresolved critical findings at Copilot go-live.

  • User impact: helpdesk tickets per 100 users post-enforcement.

Common Failure Modes and Corrective Actions

Failure Mode 1: Label Proliferation

Symptom: taxonomy grows to 8-40 labels with low usage consistency.
Correction: reduce to behaviorally distinct labels users can apply accurately.

Failure Mode 2: Permanent Audit Mode

Symptom: policies remain non-enforcing for months or years.
Correction: define enforcement date at project kickoff and publish milestone reports.

Failure Mode 3: Copilot Before Cleanup

Symptom: sensitive content appears in valid-but-unexpected prompt responses.
Correction: block rollout until critical permissions findings are remediated and re-tested.

Practical MSP Packaging

The most successful SMB engagements package this work as Copilot Readiness and Data Access Hardening, not as a one-time “label deployment” project.

  • Deliverable 1: Oversharing assessment and remediation log

  • Deliverable 2: Compact label taxonomy and end-user guidance

  • Deliverable 3: DLP audit report at day 30 and day 60

  • Deliverable 4: Copilot go-live risk sign-off

  • Deliverable 5: Quarterly policy and permissions review cadence

Key Data Points to Use with Clients

  • Purview Suite for Business Premium add-on was announced at $10/user/month (September 2025).

  • Combined Defender + Purview Suites for Business Premium add-on was listed at $15/user/month.

  • Working SMB implementations commonly succeed with 3-4 labels, not large taxonomies.

  • A 60-day DLP audit window is a common practical baseline before enforcement.

  • Published incidents show that Copilot oversharing exposure typically traces back to legacy permissions.

Conclusion

For SMB tenants, the winning strategy is not maximum policy complexity. It is disciplined sequencing and operational follow-through. Start with permissions. Add a minimal label model. Run DLP in time-boxed audit mode. Enforce in stages. Then enable Copilot.

If you remember one line, use this: Clean access first, classify second, enforce third, accelerate last.


DSPM: The End of Guessing About Your Sensitive Data

image

Most Microsoft 365 tenants I walk into are flying blind on data.

The sensitivity labels exist. A couple of DLP policies exist. Someone once turned on Insider Risk Management because a consultant said so. And then nothing. Nobody knows what’s working, what’s exposed, or which sensitive files are sitting wide open in a SharePoint site shared with half the planet.

That’s not a security posture. That’s a guess.

The tool that finally ends the guessing is Microsoft Purview Data Security Posture Management. If you’ve got E5 or the Purview Suite and you’re not showing this to your clients, you’re leaving value on the table.

What is DSPM, really?

DSPM is the dashboard that tells you, in plain English, where your sensitive data is sitting unprotected and which users are handling it carelessly. It pulls signals from the tools you already pay for — DLP, Information Protection, Insider Risk Management, Adaptive Protection — and stitches them into one view.

The clever bit is the correlation. Before DSPM, you’d open five different blades, cross-reference three different reports, and still miss half of it. Now the findings and recommendations land on one page, with a one-click path to spin up the matching policy.

That’s not a report. That’s a to-do list with context.

Step-by-Step: turning DSPM on

Portal only. Stay in the GUI — easier for you, easier to hand off to the next admin.

Open the Purview portal

Sign in to the Microsoft Purview portal as a member of the Data Security Management role group, an Insider Risk Admin, or a Compliance Administrator. Global Admin works too, but please don’t use it if you can help it.

Open the DSPM solution

From the home page, go to SolutionsData Security Posture ManagementOverview.

Turn on analytics

On the Overview page, click Turn on analytics. That one switch also enables DLP analytics and Insider Risk analytics behind the scenes if they aren’t already on. One click, three switches. The full checklist is in the Get started with DSPM article.

Wait

Yes, really. The automated scan across your tenant can take up to three days on anything larger than a handful of users. Walk away. Brew a coffee. Come back on Thursday.

Review the recommendations

Back on the DSPM dashboard, open Recommendations. Each one tells you what was found, why it matters, and offers a one-click path to create the DLP or Insider Risk policy that fixes it. You don’t start from a blank policy screen anymore — you start from your tenant’s real gaps.

Track trends over time

Use the Analytics and Reports tabs in client reviews. A trend line of risky activity going down beats any invoice justification I’ve ever tried to write.

Why this actually changes behaviour

“Are we protected?”

That’s the question every SMB owner asks. Most of us have been answering with vibes. Good vibes, educated vibes, but vibes.

DSPM changes the answer. You can point at a number. You can point at a recommendation you actioned last month and the unprotected file count that dropped because of it. You can show, not tell.

For MSPs, that’s a QBR slide that sells itself. For internal IT, it’s the evidence you need when the CFO asks what the Microsoft Purview licence is actually doing for the business.

And if Copilot is already in the tenant — which, let’s be honest, it increasingly is — then DSPM for AI is your next stop. Same lens, pointed at what people are pasting into Copilot prompts and what’s flowing back out.

Copilot doesn’t slow down. Neither does your data sprawl. Use something that keeps up.

DSPM isn’t there to create more work. It’s there to stop the guessing.

M365 Business Premium Compliance Guide from CIAOPS

Design 6

Unlock Effortless Compliance for Australian Small Businesses with Microsoft 365 Business Premium!

Are you a small business owner navigating the complex world of Australian data privacy, security, and regulatory compliance? The “Microsoft 365 Business Premium Compliance Guide for Australian Small Businesses” is your essential resource for mastering the Privacy Act 1988, the Notifiable Data Breaches (NDB) scheme, and the ACSC Essential Eight cybersecurity framework—all with practical, step-by-step instructions.

What’s Inside:

  • Clear, actionable guidance on configuring Microsoft 365 Business Premium for compliance with Australian laws and standards.
  • Comprehensive coverage of key regulations, including the Privacy Act, NDB scheme, and Essential Eight, mapped directly to Microsoft 365 features.
  • Step-by-step setup instructions for multi-factor authentication, device management, data loss prevention, sensitivity labels, retention policies, secure collaboration, and more.
  • Quick start checklists and implementation roadmaps to accelerate your compliance journey.
  • Expert tips on overcoming licensing limitations and preparing for upcoming regulatory changes.

Perfect for:

  • Australian small businesses and health service providers
  • IT consultants and managed service providers
  • Business leaders seeking peace of mind on compliance and data protection

Why Choose This Guide?

  • Written specifically for the Australian regulatory landscape
  • Focused on practical, real-world solutions using Microsoft 365 Business Premium
  • Helps you achieve ACSC Essential Eight Maturity Level 2 and full compliance with the 13 Australian Privacy Principles

Stay ahead of regulatory changes and protect your business with confidence.

Get your copy of “Using M365BP for Compliance” today and turn Microsoft 365 Business Premium into your compliance powerhouse!

Get a copy today at – https://directorcia.gumroad.com/l/m365bbcg (nominate yoru own price).

Check out all the other CIAOPS Publications at – https://directorcia.gumroad.com/

M365 Business Premium comparison table with add ons Defender and Purview suites

Screenshot 2025-10-07 082341

Just completed a simple 2 page comparison table of the features of M365 Business and the new add ons, Defender and Purview suites. It shows what M365 Business Premium provides already and then what each suite add across all the features in a single 2 page PDF download for free.

To get a copy of the PDF emailed to you just complete this form:

https://forms.office.com/r/LdHPQk3w1b

Let me know what you think.