Microsoft Purview DLP | Exchange Online: Block, Encrypt & Approve

Email is the dinosaur of digital communication – and despite Teams or Slack, it’s still the number one gateway for data loss. Whether it’s a wrong recipient in the “Cc”, a thoughtless “Reply All” or the well-intentioned sending of an Excel list to your private address to continue working on the weekend: As soon as an email leaves your tenant, you lose control.

Now let’s go into practice. Exchange Online is often the first workload that companies secure, because this is where the ROI (return on investment) for security is visible most quickly.

But be careful: Exchange DLP doesn’t necessarily mean “block.” In the modern world, DLP is often an enabler. Instead of prohibiting the sending of sensitive data, we can automatically secure it using Office 365 Message Encryption (OME). This turns a security risk into a protected business process.

In this guide, we will build four practical scenarios together that build on each other:

1. The “emergency brake”: Blocking highly sensitive data to external recipients.
2. The “seat belt”: Automatic encryption when confidential information is sent.
3. The “Internal Firewall”: Prevent data from flowing between departments.
4. The “control room”: Manager Approval for more complex topics.

Preparation & Requirements

Before we configure, a quick check of the framework conditions. Many admins fear complex rollouts or high costs with DLP. In the case of Exchange Online, this is unfounded.

Data in Transit protection is already included in Microsoft 365 Business Premium and E3 . You don’t need expensive E5 upgrades for this guide.

Want to know more? 👉 Click here for the detailed DLP overview page [Microsoft Purview DLP | Architecture & Strategy Guide], where we highlight all licensing models and feature differences.

Note on shared mailboxes: The DLP rules also apply to shared mailboxes by default, as long as the sending user has a valid license.

In this article, we’ll focus on “DLP for Exchange Online“

The starting point for all scenarios

Whether we block, encrypt or approve, the configuration always starts at the same place. We don’t work in the classic Exchange admin center, but centrally in the Microsoft Purview Portal (formerly Compliance Center).

1. Open the Microsoft Purview portal.
2. In the left panel, navigate to Data loss prevention.
3. Click Policies in the menu.

Scenario A: Emergency brake (blocking external shares)

In this scenario, we build a classic “data leakage” protective wall. The goal is to stop the outflow of highly critical data (such as credit card numbers or internal project codes) to external recipients. We deliberately take the “Custom” approach here so that you understand the logic behind the rules instead of blindly relying on templates.

Step 1: Policy Creation & Location

In the Microsoft Purview portal, navigate to Data loss prevention> DLP policies and click Create policy.

1. What information needs to be protected?
   • In the first step, the assistant asks for the area.
   • Here we select Enterprise applications & devices. (Note: This step may vary depending on your view, but will result in category selection).
     
2. Choose category:
   • Select Custom and then Custom policy.
   • Why? Although there are templates for “financial data”, we want to have full control over the actions.
     
3. Name & Description:
   • Give the policy a descriptive name, e.g. DLP-EXO-Block-Financial-External.
   • A good description will help your team understand the purpose later.
     
4. Locations – IMPORTANT:
   • Now comes the decisive step. By default, Microsoft often activates all locations.
   • Turn off SharePoint, OneDrive, Teams, and Devices.
   • Check the box ONLY for Exchange email.

Why this separation? DLP rules for emails work technically differently than for files at rest (SharePoint). If you put all locations in one policy, you will have difficulty defining specific actions (such as “encrypt” or “moderate“) later on, as this option does not exist for SharePoint. “Keep it simple” is the motto for clean troubleshooting.

Step 2: The Conditions

In the Define policy settings step, select Create or customize advanced DLP rules. Click Create rule.

A DLP rule always needs logic along the lines of: IF [content sensitive] AND [recipient external] THEN [action].

• Define content:
  • Click Add condition: > Content contains> Sensitive info types.
  • Search and choose the classics here:
    • Credit Card NumberInternational
    • Account Number (IBAN)
    • German Identity Card Number (Germany Identity Card Number)
  • Tip: You can also store your own “keyword dictionaries” here, for example for internal project names (e.g. “Project Phoenix”).
    
• Define direction:
  • Add another condition: Content is shared from Microsoft 365.
  • Select the option: with people outside my organization.

The logic: This combination ensures that internal mails (e.g. to the accounting department) are not blocked. The rule only applies when data leaves your tenant’s safe haven.

Step 3: The Action (Block & Notification)

If the trigger triggers, Exchange must act. In the Rules Editor, scroll down to the Actions section .

1. Restrict access:
   • Add the action: Restrict access or encrypt the content.
   • Select the option: Block users from sending email.
   • Effect: The email does not leave the outgoing mail server and the sender receives a non-delivery report (NDR).
     
2. User notifications:
   • Silent blocking creates frustration and tickets. Turn on the Use notifications… toggle.
   • This ensures that the user sees a policy tip in Outlook – i.e. a yellow bar even before he sends.
     
3. The Valve (User Overrides):
   • Scroll to User allowed to override the restrictions (User overrides).
   • Enable: Allow users to override policy restrictions.
   • Select: Require a business justification to override.

Tip: Why do we allow the blockade to be bypassed? Because DLP is never 100% perfect. Perhaps the HR department urgently needs to send data to an external auditor and the deadline is expiring. With the override, you enable the business process, but log the justification for the audit. It’s the ideal compromise between safety and productivity.

Scenario B: The seat belt (encryption)

While we pulled the “emergency brake” in the first scenario, we are now taking care of the real day-to-day business. Data has to leave the company – whether it’s a draft contract to a partner, salary data to the tax consultant or patient data to an insurance company. A blanket blocking would be a “business blocker” here.

Instead of preventing it from being sent, we use DLP as an enabler: we force the system to automatically encrypt the message if the sender forgets to do so. This is the “seat belt”: You are allowed to drive, but only with your seat belt on.

The highlight: We don’t have to reteach the system what is “confidential”. In the previous articles “Sensitivity Labels: Architecture & Practice“ and “Automated Application of Sensitivity Labels“, we have already defined how to classify data (tagging). We are now using this preliminary work: As soon as an email or attachment bears the label “Confidential”, DLP automatically applies Office 365 Message Encryption (OME).

Office 365 Message Encryption (OME) works intelligently in the background. The user experience depends on which email service the recipient uses:

• Microsoft 365 / Outlook: The mail is automatically decrypted and is immediately readable (marked by a lock symbol).
  
• External (Gmail, GMX): The recipient receives a link to the OME portal and opens the e-mail securely via one-time code (OTP) or Google login.
  
• Attachments: They are also encrypted and can only be read after authentication.

Step 1: Build the rule (labels as triggers)

Time is money! Instead of configuring a new policy completely from scratch and selecting all locations again, we simply copy our existing policy from scenario A. This ensures that we have consistent settings (e.g. only Exchange Online selected) and saves clicks.

We only adjust the logic in the copy: Instead of looking for patterns like credit card numbers, we use the groundwork from your information protection strategy. The advantage: DLP no longer has to guess whether content is sensitive. If a user has already classified the document as “Confidential”, DLP trusts this assessment and enforces encryption at the gateway.

1. Duplicate policy:
   • In the Purview Portal, navigate to DLP (Data Loss Prevention) > policies.
   • Check the box next to your policy from Scenario A.
   • Click Copy Policy in the menu bar at the top.
   • Give the new policy an appropriate name, such as DLP-EXO-Encrypt-Confidential, and save it.
     
2. Edit rule:
   • Click the name of the new policy and select Edit Policy.
   • Navigate to the Customize advanced DLP rules step and click the pencil icon (Edit) next to the applied rule.
     
3. Change Condition:
   • Remove the old condition (e.g., credit cards) by clicking the delete icon next to it.
   • Click on Add > Condition contains content.
   • Select Sensitivity labels from the drop-down menu and click Add.
   • Select your labels here.

Important: Make sure that the second condition, Content is shared from Microsoft 365 , is still set to People outside my organization .

Step 2: Set encryption as action

Now for the magic. When a confidential email leaves the house, Exchange Online (more precisely: Office 365 Message Encryption / OME) is supposed to intervene.

In the background, Exchange wraps the message in an HTML wrapper. Recipients with Microsoft 365 often do not notice this (transparent decryption), while recipients with GMX or Gmail receive a link and authenticate themselves via a one-time code. The ingenious thing about it: You take the decision away from the user. He no longer has to remember to press the small “Encrypt” button in Outlook – the policy does this in the backend.

1. Go to the Actions section.
2. If there is still a “Block” action from the old rule, delete it.
3. Add the action: Restrict access or Encrypt content in Microsoft 365 locations.
4. Check the box next to Encrypt email messages.
5. Under Select protection entitlement , you usually have two relevant options (depending on the license):
   • Encrypt only: The message is secure, but the recipient can print it and forward it. That’s the “friendly” standard.
   • Do not forward: The message is encrypted, but technically cannot be forwarded, printed or copied. Ideal for very sensitive data.
6. Save the rule and policy.

💡 Attention for older tenants! If encryption doesn’t work despite the correct rule, the feature may still be disabled in your tenant (this applies to tenants created before 2018).

Briefly check and activate the feature via Exchange Online PowerShell:

Set-IRMConfiguration -AzureRMSLicensingEnabled $true

This ensures that the modern OME functions (Office 365 Message Encryption) are technically available.

Scenario C: The internal firewall

So far, we’ve focused on ensuring that data doesn’t leave the company. But reality shows that many data leaks happen internally. Payrolls accidentally end up in the “All Employees” mailing list, or the research department unknowingly shares patent drafts with sales.

In this scenario, we do not prevent the sending to the outside, but the flow of information within the tenant between departments, which must remain strictly separated (segregation of duties).

Step 1: Define the scope (inside instead of outside)

We start again efficiently by copying an existing policy. However, since the logic for internal blocks is very different from external warnings, we delete the inherited rule and create a completely new one. This guarantees us a clean configuration without “legacy issues” in the settings.

1. Prepare policy:
   • Navigate to DLP (Data Loss Prevention) > policies.
   • Select an existing Exchange policy (for example, from scenario A) and click Copy Policy at the top.
   • For example, name the new policy: DLP-EXO-Internal-Block-HR and save them.
   • Open the policy for editing and go to the Customize advanced DLP rules step.
     
2. Clean Up & Create New:
   • Delete the existing rule (click on the trash can icon).
   • Click Create rule.
   • Give the rule a name, e.g. Block HR Data Internal.
     
3. Define conditions:
   • What (content): Add the condition: Content contains > sensitive information types.
     • Select specific internal data types, e.g. Germany Tax Identification Number .
     • Professional version: Before doing so, create your own keyword dictionary under “Data Classification” with terms such as “salary adjustment”, “bonus”, “severance pay”.
   • Where (Scope): Add the condition: Content is shared from Microsoft 365.
     • This time, explicitly choose: only for people within my organization.
   • Who (sender): Add the condition: Sender is.
     • To avoid false positives, select a specific group here, such as the HR Personnel distribution group.
     • Logic: The rule only applies if someone from HR (sender) sends to someone internally (receiver).

Step 2: The Action (Blocking with Explanation)

If sensitive HR data is sent internally to unauthorized colleagues (e.g. via thoughtless “Reply All”), the stop must be put to it. Here, the learning effect (“policy tip”) is almost more important than the blockade itself. The employee must understand why he is not allowed to send this e-mail to the colleague at the desk opposite.

1. In the Rule Editor, scroll to the Actions section.
2. Add the action: Restrict access or Encrypt content in Microsoft 365 locations.
3. Select the option: Block everyone. (This prevents the email from being sent).
4. Continue scrolling to User Notifications.
5. Turn on the Notify users and help train them….
6. Check the box next to Customize the policy tip text and enter a clear note:
   • Example: “This email contains confidential HR data and must not be distributed internally via email. Please use the secure SharePoint area for this.”

The Mindset: We educate users to file correctly. Email is not a file folder for internal secrets.

Scenario D: The Control Room (Manager Approval)

Sometimes “Block” is too hard and “Encrypt” is too soft. There are gray areas. Imagine an engineer sending large CAD files to a supplier. This could be industrial espionage, but it could also be part of a critical project that needs to be completed today.

An algorithm often cannot assess the context (“Is this business-critical today?“). A person does. That’s why we use a DLP function that brings the supervisor into the process: The email is paused, the supervisor reviews it and clicks “Approve“. Only then does she go out.

Step 1: Trigger for gray areas

In order for the approval options to appear in the DLP menu at all, the policy must focus exclusively on emails. Since we have already built exactly such “Exchange Only” policies in scenarios A, B and C, we can save ourselves the work and simply duplicate one of them.

1. Copy policy:
   • Select one of your existing Exchange policies (e.g. DLP-EXO-Block-Financial-External).
   • Click Copy Policy in the bar at the top.
   • Give the copy an appropriate name, e.g. DLP-EXO-Manager-Approval-CAD and save them.
     
2. Check locations (the decisive trick):
   • Open the new policy and click Edit Policy.
   • Click on to the Locations step.
     • Control Gaze: Make sure that ONLY the Exchange Email toggle is enabled. (SharePoint, OneDrive, etc. must be off).
     • Why? If other locations were enabled here, Microsoft would simply hide the approval action later on! Since we have copied, however, this should already be correct.
       
3. Go to Customize advanced DLP rules.
   • Delete the inherited rule, as we need a completely new logic for this special case.
   • Click Create Rule and give it a name (e.g Check Large Attachments. ).

Step 2: Redirection to the supervisor

Instead of hard blocking the email (which disrupts the workflow) or simply waving it through, we put a human instance in between. We’ll redirect the message for approval.

1. Set Condition (Trigger):
   • Click Add condition.
   • The logic (AND/OR): Here you decide how sharp the filter is set.
     • AND (Strict Filter): If you add conditions to each other, they must all be true at the same time.
       • Example: The e-mail contains the word “Project X” AND also bears the confidentiality label “Secret”. Only if both fit does the rule apply.
     • OR (Wide Filter): Do you want the rule to take effect as soon as one of the criteria is met? Then you have to work with groups (click on Add group).
       • Example: The email contains “Project X” (Group 1) OR it has the label “Secret” (Group 2). In both cases, the boss must approve.
   • Recommendation: Start with a simple condition, such as Content Contains (for project names) or The attachment size is greater than or equal to (for example, 10 MB).
   • Important: At the end, add the condition (via AND linked): Content is shared > from Microsoft 365 to people outside my organization.
     
2. Select Action (The Approval):
   • Click Add Action.
   • Select the Action: Forward the message for approval to.
     • Note: This option is only visible because we have exclusively chosen “Exchange” as the location in step 1!
       
3. Determine the approver: Two strategic paths open up here:
   • Path A: The hierarchy solution (“Supervisor of the sender”)
     • How it works: Exchange looks in the sender’s Entra ID (Azure AD) field Managerin the . The mail is dynamically sent to exactly this person.
     • Advantage: Scales perfectly. Marketing checks marketing emails, technology checks technology emails.
     • Prerequisite: Your Active Directory must be properly maintained!
   • Path B: The Fixed Gatekeeper (“Certain People”)
     • How it works: You designate a fixed email address (e.g compliance@firma.de . or the CISO).
     • Area of application: Useful for incomplete AD or for highly specific financial topics.
       
4. Optional: Inform the sender (Policy Tip): So that the sender knows why the customer does not yet have the mail, we configure a note.
   • Scroll down to the User Notifications section.
   • Turn on the Notify user… toggle.
   • Check the Customize policy tip text box and enter clear text:
     • Example: “Your message is awaiting approval from your supervisor.”
5. Save:
   • Click Save (at the bottom of the Rules Editor).
   • Click Next in the Policy Wizard, set the mode to Power On (Immediately) or Test in Simulation Mode , and click Submit (Finish).

What happens technically?

1. The user clicks Send.
2. The e-mail leaves its outgoing address, but is not delivered to the external recipient.
3. The manager receives a system email with the subject “Approval Required”. He sees the content and the attachments.
4. There are two buttons in the mail: Approve and Reject .
5. Only when you click on “Approve” does Exchange release the mail to the actual recipient.

Tip: Use this sparingly! If you apply this rule to every invoice, your department heads will rebel. Use it only for critical business scenarios (“high impact, low frequency”).

Summary of the scenarios

You now have a complete toolbox for Exchange Online DLP:

User Experience: What does the user see?

Technology is the duty, acceptance is the freestyle. Exchange DLP differs from many other background security features (like Defender) because it’s very “noisy.” The user immediately notices that something is happening. This is intentional, but it has the potential to be frustrating.

We distinguish between two levels of interaction: the preventive warning (policy tip) and the reactive blockade (NDR).

Real-time education

The most powerful tool of DLP is the “Policy Tip”. Even before the employee presses “send”, the Outlook client (or OWA) scans the content of the email and attachments.

If the system finds a credit card number or a “Strictly Confidential” label, a yellow bar appears at the top of the email window.

• The message: “This email violates a policy.”
• The effect: This is not a ban, but a nudge. The user learns: “Ah, I’m not allowed to send this Excel list to my GMX address.” He can remove the receiver or delete the contents, and the bar disappears.

Important: In Outlook Web Access (OWA – Outlook.com) and New Outlook for Windows, these tips appear almost immediately. In Outlook Classic Desktop, it may take a few seconds (depending on the version and cache) for the client to complete the check.

The NDR: When the door closes

If the user ignores the tip or uses a client that does not support tips (e.g. an old mail app on the smartphone), the block action takes effect on the server.

The e-mail leaves the Outbox, but is intercepted by the Exchange Transport service. The sender receives a Non-Delivery Report (NDR) a few seconds later. This NDR is not a cryptic error message (“Error 5.7.1”), but a readable message generated by Microsoft. She explains:

1. What happened (message blocked).
2. Why it happened (Sensitive data found).
3. What the user can do (e.g. remove the attachment).

If you activated the override in the previous step, this mail often contains a link or button with which the user can send the mail again – this time with a reason.

Safe Deployment: Simulation Mode

Microsoft forces you to make a decision at the end of the wizard. The only valid option for a new architecture is: “Execute policy in simulation mode”.

From a technical point of view, you separate detection from enforcement here. The system checks traffic against your conditions and writes matches to the audit log, but doesn’t perform any blocking actions (like NDRs or encryption).

The hybrid test (recommended): In addition, activate the checkbox “Show policy tips in simulation mode”. This is the ideal middle ground for onboarding:

• Technology: The mail flow remains undisturbed (no block).
• User Experience: The user already sees the yellow warning bar in the client. This allows you to validate whether the warning appears in the right place without jeopardizing operations.

Note: Leave the “Enable the policy after 15 days…” option unchecked. In the security architecture, a go-live is never time-based (“blind”), but only after manual evaluation of the logs (quality gate). If you forget this automatic, you risk unchecked disruptions in the operational business after two weeks.

Monitoring & Tuning (Filtering the Noise)

After the policy runs in simulation mode, you let it work for 1-2 weeks. During this time, you collect data. In the Purview portal, navigate to Data loss prevention > Activity explorer.

Here you can see each “match”. Your task as admin is now the analysis:

1. Finding false positives: Was the internal article number 1234-5678-9012-3456 incorrectly recognized as a credit card?
   
2. Adjust the rule: If so, go back to the policy and add an exception or increase the required accuracy (confidence level).
   
3. Arming: Only when only real risks appear in the Activity Explorer do you set the switch in the policy to “Turn it on”.

This iterative process ensures that DLP increases your security without disrupting business operations.

Conclusion: Trust is good, control is automated

With the setup of Exchange Online DLP, you’ve taken control of what is probably your organization’s most critical and oldest communication channel. Email is often the biggest “data leak” because it’s so easy to make mistakes.

From today on, you no longer rely on employees under stress remembering not to send data unencrypted – the system now thinks for them. You have taken the step from reactive “fire brigade” (data is gone, we have to report) to proactive security.

This is what we achieved today:

• 🔍 Transparency: You no longer poke in the fog. In simulation mode, you can see in black and white for the first time how often sensitive data actually leaves your company – and where.
  
• 🛡️ Security: Critical information (such as credit card details or customer lists) is actively blocked before it can cause damage. The “emergency brake” works.
  
• ⚖️ Compliance: Legitimate business processes are not hindered, but are “Privacy by Design” compliant through automatic encryption (OME). The workflow is retained, the risk is reduced.

What happens next? (Your homework)

DLP is not a project that you can complete in an afternoon. It’s a process. Now let these guidelines run in simulation mode for at least 1-2 weeks . Resist the urge to click “Turn it on” right away.

Use this time for fine-tuning:

1. Regularly check the “DLP Matches” in the Activity Explorer of the Purview Portal.
2. Does the rule apply to internal signatures or article numbers? (False Positives).
3. Adjust the confidence levels or add exceptions.

Only when the “noise” is minimized and you are sure that no legitimate invoices are blocked, you activate the policy.

This post is also available in: Deutsch English