+| **Message is received from any of these domains** <br><br> **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>-Enter each domain and separate multiple domains with a comma.<br> -Do not include spaces between items separated by a comma.<br> -Remove all leading and trailing spaces.<br><br> Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific emails address you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example newsletter@contoso.com). |

+|Auto-quarantine file from unallowed apps | Supported | Supported (preview)| |

+#### Auto-quarantine

+When enabled, Auto-quarantine is triggered when a restricted app attempts to access a DLP-protected sensitive item. Auto-quarantine moves the sensitive item to an admin-configured folder. If configured to do so, autoquarrantine can leave a placeholder (**.txt**) file in place of the original. You can configure the text in the placeholder file to tell users the new location of the item, and other pertinent information.

+You can use also auto-quarantine to prevent an endless chain of DLP notifications for the user and admins. For more information, see [Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine](endpoint-dlp-using.md#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine)

+> DLP for Microsoft Teams blocks sensitive content when shared with Microsoft Teams users who have:

+> - [guest access](/MicrosoftTeams/guest-access) in teams and channels, or

+> - [external access](/MicrosoftTeams/manage-external-access) in meetings and chat sessions.

+>

+> DLP for external chat sessions will only work if both the sender and the receiver are in Teams Only mode and using [Microsoft Teams native federation](/microsoftteams/manage-external-access). DLP for Teams does not block messages in [interop](/microsoftteams/teams-and-skypeforbusiness-coexistence-and-interoperability#interoperability-of-teams-and-skype-for-business) with Skype or non-native federated chat sessions.

+- **Example 2: Protecting sensitive information in documents**. Suppose that someone attempts to share a document with guests in a Microsoft Teams channel or chat, and the document contains sensitive information. If you have a DLP policy defined to prevent this, the document won't open for those users. Your DLP policy must include SharePoint and OneDrive in order for protection to be in place. This is an example of DLP for SharePoint that shows up in Microsoft Teams, and therefore requires that users are licensed for Office 365 DLP (included in Office 365 E3), but does not require that users be licensed for Office 365 Advanced Compliance.

+- **Example 3: Protecting communications in Teams Shared Channels**. For shared channels, the host Teams team DLP policy is applied. For example letΓÇÖs say there's a shared channel owned by Team A of Contoso. Team A has a DLP policy P1. There are three ways to share a channel:

+ - **Share with team (internally)**: You share the channel with another team within Contoso, Team B. That other team may have a different DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both Team A and Team B users.

+ - **Share with team (cross tenant)**: You share the channel with a team, Team F, in Fabrikam. Fabrikam may have its own DLP policy, but that doesnΓÇÖt matter. P1 will apply to everyone in this shared channel, including both Team A (Contoso) and Team F (Fabrikam) users.

+Office 365 and Microsoft 365 E3 include DLP protection for SharePoint, OneDrive, and Exchange. This also includes files that are shared through Teams because Teams uses SharePoint and OneDrive to share files.

+Support for DLP protection in Teams Chat requires an E5 license.

+> DLP applies only to the actual messages in the chat or channel thread. Activity notifications,which include a short message preview and appear based on a user's notification settings, are **not** included in Teams DLP. Any sensitive information present in the part of the message that appears in the preview will remain visible in the notification, even after the DLP policy has been applied and removed sensitive information from the message itself.

+Similar to how DLP works in other locations ([Exchange, Outlook, SharePoint, OneDrive, and on Windows Devices](dlp-learn-about-dlp.md), policy tips appear when an action triggers with a DLP policy. Here's an example of a policy tip:

+Here, the sender attempted to share a social security number in a Microsoft Teams channel. The **What can I do?** link opens a dialog box that provides options for the sender to resolve the issue. Notice that the sender can opt to override the policy or notify an admin to review and resolve the issue.

+You can choose to allow users in your organization to override a DLP policy. When you configure your DLP policies, you can use the default policy tips, or [customize policy tips](#to-customize-policy-tips) for your organization.

+Returning to our example, wherein a sender shared a social security number in a Teams channel, here's what the recipient saw:

+1. Go to the Microsoft Purview compliance portal ([https://compliance.microsoft.com](https://compliance.microsoft.com)) and sign in.

+6. Scroll down to **User notifications** and select **Notify users in Office 365 service with a policy tip** and then **Customize the policy tip text**.

+1. Go to the Microsoft Purview compliance portal ([https://compliance.microsoft.com](https://compliance.microsoft.com)) and sign in.

+3. Select a policy, and then choose **Edit policy**.

+4. Navigate through the wizard until you arrive at the **Choose locations to apply the policy** page.

+5. Toggle the **Teams chat and channel messages** option to **On**.

+6. Choose **Next** and work your way through to the end of the wizard.

+

+7. Choose **Submit**.

+You can ensure that documents are protected until DLP scans and marks them as safe to share by [marking new files as sensitive by default](/sharepoint/sensitive-by-default).

+### Recommended DLP policy structure

+- **Conditions**

+ - **Content contains any of these sensitive information types**: [Select all that apply]

+

+ - **Content is shared from Microsoft 365** > **with people outside my organization**

+ > [!div class="mx-imgBorder"]

+ > 

+- **Actions**

+ - **Add an action**

+ - **Restrict access or encrypt the content in Microsoft 365 locations** > **Block only people outside your organization**

+ - **Use notifications to inform your users and help educate them on the proper use of sensitive info** > **Notify users in Office 365 with a policy tip**

+ - **Notify these people** [Select all that apply]

+ - **Policy tips** [Select all that apply]

+

+ > [!div class="mx-imgBorder"]

+ > 

+# Migrate Exchange data loss prevention policies to Microsoft Purview compliance portal

+[Exchange data loss prevention (DLP) policies](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) are being deprecated. [Much richer DLP functionality](dlp-learn-about-dlp.md), including Exchange DLP, is offered in the [Microsoft Purview compliance portal](https://compliance.microsoft.com/datalossprevention?viewid=policies). You can use the DLP policy migration wizard to help you bring your Exchange DLP policies over to the compliance portal where you'll manage them.

+The migration wizard only migrates Exchange DLP policies and associated mail flow rules. Standalone Exchange mail flow rules aren't migrated.

+<!-- 6/15/23: No Exch. policies to migrate available. Can't validate this procedure -->

+7. You can create more policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any other locations that you select here.

+|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Dlp`. |It's likely that this policy migration was done earlier and then reattempted in the same session. | Refresh the session to update the list of policies available for migration. All previously migrated policies should be in the `Already migrated` state.|

+|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Hold`. | A retention policy with the same name exists in the same tenant. | - Rename the DLP policy in EAC to a different name. </br> - Retry the migration for the affected policy.|

+|`DLP-group@contoso.com` can't be used as a value for the `Shared By` condition because it's a distribution group or mail-enabled security group. Use `Shared by Member of` predicate to detect activities by members of certain groups. | Transport rules allow groups to be used in the `sender is` condition but unified DLP doesn't allow it. | Update the transport rule to remove all group email addresses from the `sender is` condition and add the group to the `sender is a member of` condition if necessary. Retry the migration for the affected policy|

+|Couldn't find recipient `DLP-group@contoso.com`. If newly created, retry the operation after some time. If deleted or expired, reset it with valid values and try again.|It's likely that the group address used in `sender is a member of` or `recipient is a member of` condition is expired or invalid.|- Remove/replace all the invalid group email addresses in the transport rule in the Exchange admin center. </br> - Retry the migration for the affected policy.|

+|The value specified in `FromMemberOf` predicate must be a mail-enabled security group. | Transport rules allow individual users to be used in the `sender is a member of` condition; however, unified DLP doesn't allow it.|- Update the transport rule to remove all individual user email addresses from the `sender is a member of` condition and add the users to the `sender is` condition if necessary. </br> - Retry the migration for the affected policy.|

+|The value specified in `SentToMemberOf` predicate must be a mail-enabled security group. | Transport rules allow individual users to be used under the `recipient is a member of` condition but unified DLP doesn't allow it. | - Update the transport rule to remove all individual user email addresses from the `recipient is a member of` condition and add the users to the `recipient is` condition if necessary. </br> - Retry the migration for the affected policy.|

+### 1. Have an appropriate Microsoft 365 subscription

+You need to have either the *Global Administrator or Compliance Administrator* role to be able to use the migration assistant.

+The migration assistant is a Windows-based desktop application for migrating your Symantec data loss prevention (DLP) policies to Microsoft Purview Data Loss Prevention. This article takes you through the five-step migration process. The migration assistant accepts Symantec DLP policy XML exports, performs mapping, and creates equivalent DLP policies through PowerShell scripts. You can use the migration assistant to create DLP policies in test mode. Policies in test mode won't affect your live data or impact your existing business processes.

+- The migration assistant detects which conditions, exclusions, and actions are currently used in source policies and automatically creates new rules with the same conditions and actions.

+Each time the migration assistant runs, it performs the following steps:

+Check out this [interactive guide](https://mslearn.cloudguides.com/guides/Use%20the%20Microsoft%20Purview%20DLP%20migration%20assistant) for a visual walkthrough of the migration process.

+ - Enter your password in the browser window that opens and select **Sign in**.

+3. Wait until your login is validated. Simultaneously, the migration assistant fetches information that will be required in later stages of the migration process.

+You need to upload your Symantec DLP policy exports, which act as input for the migration assistant. The policies you upload will be migrated to the Microsoft Purview DLP platform.

+> There may be some items that may need your review and will be marked with 'Needs review' warning symbol.

+- Using out-of-box (OOB) Data Identifiers

+- Customizing OOB Data Identifiers

+- Defining regular expressions and/or keywords in DLP rules

+- **Map to an existing OOB SIT:** For each sensitive data type for which there is an equivalent SIT in Microsoft DLP, the migration assistant will attempt to create a 1:1 mapping. It automatically maps OOB Symantec Data Identifiers to pre-configured Microsoft SITs, if an equivalent exists. If you want to bring the Symantec Data Identifier over as-is, then you can create a new SIT as described in the next step.

+- **Migrate as a new custom SIT:** For each sensitive data type for which there isn't an equivalent SIT available in Microsoft DLP, the migration assistant will automatically create a new SIT. Similarly, any regular expression(s) or keyword(s) defined directly in rules will be brought over as a new custom SIT.

+> Regular expressions and/or keywords defined directly at the rule-level of Symantec policies will take on the name of the rule itself and show up in the **Source** column. In case of multiple regular expressions and/or keywords, it will take the name of the rule name followed by roman numerals.

+>Each of these will be migrated separately as a custom SIT. This may lead to confusion. We recommend you review and rename these SITs as soon as possible.

+>You can't edit the name of these SITs within the migration assistant. You can edit the names of these custom SITs from Microsoft Purview compliance portal or via PowerShell after the policy migration has been completed.

+For example, a Purview DLP policy that's scoped to email can be extended to SharePoint, OneDrive, Teams, and Endpoint Devices.

+For example, the **Email subject is** condition may be dropped while extending an email (Exchange) DLP policy to OneDrive.

+Some checkboxes may be disabled by default if there are no supported conditions available in extended locations.

+Editing a row element - When editing one or more row elements, you'll be navigated to an **Edit** screen with more details about that row element. If there are any issues, they will be reported via a yellow banner at the top of the screen. You may need to make changes to the content in the editable sections. Those changes will then be incorporated at the time of migration. Once you resolve the issues in the content, the yellow banner will disappear.

+Use existing SITs from tenant to automatically replace the current SIT. You may choose to replace the current SIT (which is being edited) with another SIT from your tenant.

+You can manually change any of the mappings by selecting the corresponding row in the ΓÇÿTargetΓÇÖ column. This opens a drop-down list with all the out-of-box SITs (OOB SITs) and all the custom SITs (if any) that you may have previously created. You can choose the option to which you wish to map to the ΓÇÿSourceΓÇÖ row item. Alternatively, you can also choose the option **New SIT** from the drop-down. The migration assistant will then bring over the Source SIT as a new custom SIT.

+We strongly recommend using existing SITs to replace current SITs wherever possible to help reduce creation of duplicate SITs and also reduce effort of optimizing multiple custom SITs of the same kind. Learn more about [sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).

+1. Choose whether to turn on or off from the following three options:

+You should visit the compliance portal and validate the policies you just migrated.

+1. To validate that the SITs were created, navigate to **Data Classification** > **Classifiers** > **Sensitive Info Types** and look for the SITs. You can also sort the list on **Publisher** and check for SITs with a publisher name of ΓÇ£DLP Migration ToolΓÇ¥.

+2. Rename SITs as needed. For many SITs, you may notice there are similar names, often followed by roman numerals. To avoid confusion and duplication post-migration, you should rename these SITs. This is true for cases where your regular expressions and keywords are defined directly in rules within your input Symantec DLP policies.

+ 1. Confirm that you've installed all the prerequisites using the links/versions mentioned in [Before you start](dlp-migration-assistant-for-symantec-get-started.md#before-you-begin).

+ 2. Ensure that you've restarted the machine after installing the prerequisites.

+ 3. Ensure that you're running the tool in *admin mode* using the **Run as administrator** option when starting the application.

+ 4. Ensure that your PowerShell module path is set correctly using these steps:

+ 1. Go to **Edit system environment variables**.

+ 2. Add this path in the **PsModulePath** user variable: `C:\Program Files\PowerShell\7\Modules`.

+ 3. Move this up and keep at the top.

+ 4. Restart the tool in administrator mode.

+2. On the **Details** tab, look for *msiexec.exe* and select **End Task**.

+3. Try to install or uninstall again, or, wait until the installation is finished.

+> All users who contribute to the scanned location, either by adding files or consuming files, need to have a license, not just the scanner user.

+Data from DLP can be viewed in [activity explorer](data-classification-activity-explorer.md). There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+Here's a list of applicable role groups. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+- The Microsoft Purview information protection scanner implements DLP policy matching and policy enforcement. The scanner is installed as part of the AIP client, so your installation must meet all the prerequisites for AIP, the AIP client, and the AIP unified labeling scanner.

+ 1. You must create a content scan job and specify the repositories that host the files to be evaluated by the DLP engine.

+ 2. Enable DLP rules in the created content scan job, and set the **Enforce** option to **Off** (unless you want to proceed directly to the DLP enforcement stage).

+3. Verify that your content scan job is assigned to the right cluster. If you haven't created a content scan job, create a new one and assign it to the cluster that contains the scanner nodes.

+ 1. Set the scanner schedule

+ 1. Use the manual **Scan Now** option in the portal

+ 1. Run **Start-AIPScan** PowerShell cmdlet

+ > Remember that the scanner runs a delta scan of the repository by default and files that were scanned in the previous scan cycle will be skipped, unless the file was changed or you initiated a full rescan. A full rescan can be initiated by using the **Rescan all files** option in the UI or by running **Start-AIPScan-Reset**.

+7. Choose **Create policy** and create a test DLP policy. See [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) if you need help with creating a policy. Be sure to run it in test mode until you're comfortable with this feature. Use these parameters for your policy:

+ 1. Scope the DLP on-premises repositories rule to specific locations if needed. If you scope **locations** to **All**, all files scanned will be subject to the DLP rule matching and enforcement.

+> The *exclusion* list takes precedence over the *inclusions* list.

+> The Information Protection scanner requires that auditing be enabled. Auditing is enabled by default in Microsoft 365.

+3. Open the [Audit log in the compliance center](https://security.microsoft.com/auditlogsearch). The DLP rule matches are available in the Audit log UI or accessible by [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) in PowerShell.

+When you select the **On-premises repositories** location, Microsoft Purview Data Loss Prevention (DLP) can enforce protective actions on on-premises data-at-rest in file shares and SharePoint document libraries and folders. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP detects sensitive information by using [built-in](sensitive-information-type-entity-definitions.md) or [custom sensitive information](create-a-custom-sensitive-information-type.md) types, [sensitivity labels](sensitivity-labels.md) or file properties. The information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-learn-about-dlp.md).

+- custom document properties on Office files only

+When a detected file poses a compliance policy violation or potential risk if leaked, DLP can take one of the following four actions.

+|**Block people from accessing file stored in on-premises scanner - Block everyone** | When enforced, this action blocks access to all accounts except the content owner, the account that last modified the item, and the administrator. It does this by removing all accounts from NTFS/SharePoint permissions at the file level except for the file owner, repository owner (set in the [Use a DLP policy](deploy-scanner-configure-install.md#use-a-dlp-policy) setting in content scan job), last modifier (can be identified in SharePoint only), and admin. The scanner account is also granted FC rights on the file. |

+|**Block only people who have access to your on-premises network and users in your organization who weren't granted explicit access to the files from accessing file** | When enforced, this action removes the ***Everyone***, ***NT AUTHORITY\authenticated users***, and ***Domain Users*** SIDs from the file access control list (ACL). Only users and groups that have been explicitly granted rights to the file or parent folder will be able to access the file.|

+|**Set permissions on the file (permissions will be inherited from the parent folder)**| When enforced, this action forces the file to inherit the permissions of its parent folder. By default, this action will only be enforced if the permissions on the parent folder are more restrictive than the permissions that are already on the file. For example, if the ACL on the file is set to allow only ***specific users*** and the parent folder is configured to allow the ***Domain Users*** group, the parent folder permissions wouldn't be inherited by the file. You can override this behavior by selecting the **Inherit even if parent permissions are less restrictive** option. |

+|**Remove the file from improper location** | When enforced, this action replaces the original file with a stub file with .txt extension and places a copy of the original file in a quarantine folder.

+You must create a content scan job in the information protection scanner and identify the repositories that host the files that you want to DLP to evaluate. Make sure you enable DLP rules in the created AIP content scan job.

+To help familiarize you with Microsoft Purview Data Loss Prevention on-premises features and how they surface in DLP policies, we've put together a couple of scenarios for you to follow.

+> These DLP on-premises scenarios are not the official procedures for creating and tuning DLP policies. Refer to the following topics when you need to work with DLP policies in general situations:

+## Scenario: Discover files matching DLP rules

+### Activity explorer

+### Microsoft 365 Audit log

+The DLP rule matches are also available in the Audit log UI (see [Search the audit log in the Microsoft Purview compliance portal](audit-log-search.md)) and are accessible via PowerShell through the[Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).

+### AIP

+Discovery data is available in a local report in .csv format and is stored under:

+## Scenario: Enforce DLP rule

+### Configure DLP to enforce policy actions

+Every organization will plan for and implement data loss prevention (DLP) differently because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations. This article presents the best practices that are used by organizations in DLP planning.

+Many organizations choose to implement DLP to comply with various governmental or industry regulations. For example, the European Union's General Data Protection Regulation (GDPR), or the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA). They also implement data loss prevention to protect their intellectual property. However, the starting place and ultimate destination in the DLP journey vary.

+- from a platform focus, for instance, if they want to protect information in Teams Chat and Channel messages or on Windows 10 or 11 devices

+- without knowing what their sensitive information is, where it is, or who is doing what with it; in this case they start with discovery and categorization and take a more methodical approach

+- without knowing what their sensitive information is, or where it is, or who is doing what with it, but moving straight to defining policies and using those outcomes as a starting place and then refining their policies from there

+- knowing that they need to implement the full Microsoft Purview Information Protection stack and so take a longer term, methodical approach

+These are just some examples of how customers can approach DLP. It doesn't matter where you start from, DLP is flexible enough to accommodate various types of information protection journeys from start to a fully realized data loss prevention strategy.

+When implemented, DLP policies can be applied across large portions of your organization. Your IT department can't develop a broad ranging plan on their own without negative consequences. You need to identify the stakeholders who can:

+- prioritize which data should be protected first, based on the sensitivity of the items and risk involved

+- outline the DLP policy match event review and remediation process

+In general, these needs tend to be 85% regulatory and compliance protection, and 15% intellectual property protection. Here are some suggestions on roles to include in your planning process:

+Once identified, the stakeholders then describe the categories of sensitive information to be protected and the business processes that they're used in. For example, DLP defines these categories:

+- Financial

+Stakeholders might identify the sensitive information as "We are a data processor, so we have to implement privacy protections on data subject information and financial information".

+- Mapping out your starting state, desired end state, and the steps to get from one to the other

+- policy planning and the order in which policies will be implemented

+##### What laws, regulations, and industry standards must your organization comply with?

+Because many organizations come to DLP with the goal of regulatory compliance, answering this question is a natural starting place for planning your DLP implementation. But, as the IT implementer, you're probably not positioned to answer it. It needs to be answered by your legal team and business executives.

+Once your organization knows where it stands in terms of regulatory compliance needs, you'll have some idea of what sensitive items need to be protected from leakage and how you want to prioritize policy implementation to protect them. This will help you choose the most appropriate DLP policy templates. Microsoft Purview comes with pre-configured DLP templates for Financial, Medical and health, Privacy. You can also build your own policies using the Custom template. As you design and create your actual DLP policies, knowing the answer to this question will also help you choose the right [sensitive information type](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types).

+If your organization has implemented [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you can scope your DLP policies by administrative unit or leave the default full directory scoping. See [Policy Scoping](dlp-policy-reference.md#policy-scoping)(preview) for more details.

+The items that contain your organization's sensitive information are used every day in the course of doing business. You need to know where instances of that sensitive information may occur and what business processes they are used in. This will help you choose the right locations to apply your DLP policies to. DLP policies are applied to locations:

+- Windows 10, 11, and macOS Devices

+**Example** Your organization's internal auditors are tracking a set of credit card numbers. They keep a spreadsheet of them in a secure SharePoint site. Several of the employees make copies and save them to their work OneDrive site, which is synced to their Windows 10 device. One of them pastes a list of 14 of those credit card numbers into an email and tries to send it to the outside auditors for review. You'd want to apply the policy to the secure SharePoint site, all the internal auditors' OneDrive accounts, their Windows 10 devices, and Exchange email.

+**Example** Your organization's security group and legal team both feel that there should be no sharing of credit card numbers with anyone outside the org and insist on zero leakage. But, as part of regular review of credit card number activity, the internal auditors must share some credit card numbers with third-party auditors. If your DLP policy prohibits all sharing of credit card numbers outside the org, there will be a significant business process disruption and added cost to mitigate the disruption in order for the internal auditors to complete their tracking. This extra cost is unacceptable to the executive leadership. To resolve this, there needs to be an internal conversation to decide an acceptable level of leakage. Once that is decided the policy can provide exceptions for certain individuals to share the information or it can be applied in audit only mode.

+Before you can monitor some DLP locations, there are prerequisites that must be met. See the **Before you begin** sections of the following articles:

+3. **Start full enforcement on the policies** so that the actions in the rules are applied and the content is protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

+ 

+ 

+ You can also change the priority of multiple rules in a policy. To do that, open a policy for editing. In the row for a rule, choose the ellipses (**...**), and then move an item down in the list to the desired position.

+ You can configure your policies sot that, when a DLP policy is triggered, an [email notification is sent to admins and policy tips are shown to end users](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies). While your policies are still in test mode, and before they are set to enforce a blocking action, policy tips are useful ways to raise awareness of risky behaviors on sensitive items and for training users to avoid those behaviors in the future.

+|**Contoso Bank** is in a highly regulated industry and has many different types of sensitive items in many different locations. Contoso </br> - knows which types of sensitive information are top priority. </br> - must minimize business disruption as policies are rolled out. </br> - has IT resources and can hire experts to help plan, design, and deploy </br> - has a premier support contract with Microsoft| - Take the time to understand what regulations they must comply with and how they are going to comply. </br> - Take the time to understand the better together value of the Microsoft Purview Information Protection stack </br> - Develop a sensitivity labeling scheme for prioritized items and apply </br> - Involve business process owners </br>- Design/code policies, deploy in test mode, train users </br>- repeat|

+|**TailSpin Toys** doesnΓÇÖt know what they have or where it is, and have little to no resource depth. They use Teams, OneDrive, and Exchange extensively. |- Start with simple policies on the prioritized locations. </br>- Monitor what gets identified </br>- Apply sensitivity labels accordingly </br>- Refine policies and train users |

+|**Fabrikam** is a small startup and wants to protect its intellectual property. It must move quickly. They are willing to dedicate some resources, but can't afford to hire outside experts. </br>- Sensitive items are all in OneDrive and SharePoint </br>- Adoption of OneDrive and SharePoint is slow, employees/shadow IT use DropBox and Google Drive to share/store items </br>- Employees value speed of work over disciplined data protection </br>- Customer splurged and bought all 18 employees new Windows devices |- Take advantage of the default DLP policy in Teams </br>- Use the *restricted by default* setting for SharePoint items </br>- Deploy policies that prevent external sharing </br>- Deploy policies to prioritized locations </br>- Deploy policies to Windows devices </br>- Block uploads to non-OneDrive for Business cloud storage |

+> When emails are encrypted with Microsoft Purview Message Encryption and the policy used to detect them uses the *detect encryption* condition, policy tips will not appear.

+These preconfigured sensitive information types (SITs) support policy tips in Outlook on the Web.

+Custom sensitive information types that use REGEX, functions, keyword lists, and keyword dictionaries support policy tips in Outlook on the Web. For more details, see [Create custom sensitive information types in the compliance portal](create-a-custom-sensitive-information-type.md) and [Create a custom sensitive information type using PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md).

+Taking the time to design a policy before you implement it will get you to the desired results faster, with fewer unintended issues, than creating it and then tuning by trial and error alone. Having your policy designs documented will also help you in communications, policy reviews, troubleshooting, and further tuning.

+You should be able to summarize, in a single statement, the business intent for every policy you have. Developing this statement will drive conversations in your organization and, when fully fleshed out, this statement directly links the policy to a business purpose and provides a roadmap for policy design. The steps in the [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#overview-of-planning-process) article will help you get started on your policy intent statement.

+*"We are a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPPA that are stored in OneDrive/SharePoint and to protect against that information being shared in Teams chat and channel messages and restrict everyone from sharing them with unauthorized third parties".*

+This example doesn't cover all the configuration points of a DLP policy; it would need to be expanded. However, it should get you thinking in the right direction as you develop your own DLP policy intent statements.

+> Keep in mind that the location(s) you pick impact whether you can use sensitive information types, sensitivity labels, and retention labels, as well as the actions that are available. See [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) for more information.

+> - You need to create groups in order to use multiple operators.

+> - Using the NOT condition in a nested group replaces the **Exceptions** functionality.

+> - You need to create groups in order to use multiple operators.

+> When an action in Office desktop client apps (Word, Outlook, Excel, and PowerPoint) matches a policy that uses complex conditions, the user will only see policy tips for rules that use the **Content contains sensitive information** condition.

+> Policies can't be renamed once they are created. If you must rename a policy, you will have to create a new one with the desired name and retire the old one. So, from the outset, decide on the naming structure that all your policies will use.

+7. Decide which policy template you will start from: predefined or custom.

+DLP policy templates are sorted into four categories:

+- policies that can detect and protect types of **Financial** information.

+- policies that can detect and protect types of **Medical and health** information.

+- policies that can detect and protect types of **Privacy** information.

+- A **Custom** policy template that you can use to build your own policy if none of the others meet your organization's needs.

+The following table lists all policy templates and the sensitive information types (SIT) that they cover.

+in your organization (depending on the locations that are selected) or to subgroups of your organization called [Administrative Unit restricted policies (preview)](#administrative-unit-restricted-policies-preview).

+The second level of DLP policy scoping is by the [locations](#locations) that DLP supports. At this level, both unrestricted and administrative unit restricted administrators will see only the users, distribution groups, groups, and accounts that were included in the first level of policy scoping and that are available for that location.

+|Devices|Yes |- Distribution groups </br> - Security groups </br> - Non-mail enabled security groups </br> - Microsoft 365 groups (Group members only, not the group as an entity) | data-in-use </br> data-in-motion |- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) </br>- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) </br>- [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection) |

+If you choose to include specific distribution groups in Exchange, the DLP policy is scoped only to the emails sent by members of that group. Similarly, excluding a distribution group excludes all the emails sent by the members of that distribution group from policy evaluation.

+Say you have four users in your org, *U1*, *U2*, *U3*, *U4* and two distribution groups *DG1*, and *DG2* that you'll use for defining Exchange location inclusion and exclusion scopes. Group membership is set up like this:

+DLP policies detect sensitive items by matching them to a sensitive information type (SIT), or to a sensitivity label or a retention label. Each location supports different methods of defining sensitive content. When you combine locations in a policy, how the content can be defined can change from how it can be defined by a single location.

+> When you select multiple locations for a policy, a "no" value for a content definition category takes precedence over "yes" value. For example, when you select SharePoint sites only, the policy will support detecting sensitive items by one or more of SIT, by sensitivity label or by retention label. But, when you select SharePoint sites ***and*** Teams chat and channel messages locations, the policy will only support detecting sensitive items by SIT.

+DLP supports using trainable classifiers as a condition to detect sensitive documents. Content can be defined by trainable classifiers in Exchange, SharePoint sites, OneDrive accounts, Teams Chat and Channels, and Devices. For more information, see [Trainable Classifiers](classifier-learn-about.md).

+For the hosted service workloads, like Exchange, SharePoint, and OneDrive, each rule is assigned a priority in the order in which it's created. This means that the rule created first has first priority, the rule created second has second priority, and so on.

+For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint sites and all OneDrive sites (the where) by finding any document containing this sensitive information that's shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

+Conditions are where you define what you want the rule to look for and the context in which those items are being used. They tell the rule: when you find an item that looks like *this* and is being used like *that*ΓÇöit's a match and the rest of the actions in the policy should be taken on it. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

+> SITs have two different ways of defining the maximum unique instance count parameters. To learn more, see [Instance count supported values for SIT](sit-limits.md#instance-count-supported-values-for-sit).

+Sometimes you need a rule to identify only one thing, such as all content that contains a U.S. Social Security Number, which is defined by a single SIT. However, in many scenarios where the types of items you're trying to identify are more complex and therefore harder to define, more flexibility in defining conditions is required.

+Conditions can be grouped and joined by boolean operators (AND, OR, NOT) so that you define a rule by stating what should be included and then defining exclusions in a different group joined to the first by a NOT. To learn more about how Purview DLP implements booleans and nested groups see, [Complex rule design](dlp-policy-design.md#complex-rule-design).

+Any item that makes it through the ***conditions*** <!--and exclusive ***exceptions***--> filter will have any ***actions*** that are defined in the rule applied to it. You'll have to configure the required options to support the action. For example, if you select Exchange with the **Restrict access or encrypt the content in Microsoft 365 locations** action, you need to choose from these options:

+The actions that are available in a rule depend on the locations that have been selected. The available actions for each individual location are listed below.

+> For SharePoint and OneDrive locations, documents will be proactively blocked right after detection of sensitive information (regardless of whether the document is shared or not) for all external users; internal users will continue to have access to the document.

+The devices location provides many sub-activities (conditions) and actions. To learn more, see [Endpoint activities you can monitor and take action on](endpoint-dlp-learn-about.md#endpoint-activities-you-can-monitor-and-take-action-on).

+With the **File activities for all apps** option, you select either **Don't restrict file activities** or **Apply restrictions to specific activities**. When you select **Apply restrictions to specific activities**, the actions that you select here are applied when a user has accessed a DLP protected item. You can tell DLP to `Audit only`, `Block with override`, or `Block` (the actions) these user activities:

+Previously called Unallowed apps, *restricted app activities* are apps that you want to place restrictions on. You define these apps in a list in Endpoint DLP settings. When a user attempts to access a DLP protected file using an app that is on the list, you can either `Audit only`, `Block with override`, or `Block` the activity. DLP actions defined in **Restricted app activities** are overridden if the app is a member of restricted app group. Then the actions defined in the restricted app group are applied.

+- Restrict access or encrypt the content in Microsoft 365 locations and all actions for the non-Exchange location actions are available.

+- Restrict access or encrypt the content in Microsoft 365 locations and all actions for non-Exchange locations actions will be available.

+For example, if you select the Exchange and Devices locations, these actions will be available:

+When a user attempts an activity on a sensitive item in a context that meets the conditions of a rule (for example, content such as an Excel workbook on a OneDrive site that contains personally identifiable information (PII) and is shared with a guest), you can let them know about it through user notification emails and in-context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.

+The user notifications and policy tips configuration options vary depending on the monitoring locations you've selected. If you selected:

+If you selected Devices only, you'll get all the same options that are available for Exchange, SharePoint, OneDrive, Teams Chat and Channel, and Defender for Cloud Apps, plus the option to customize the notification title and content that appears on the Windows 10/11 device.

+Users may want to learn why their activity is being blocked. You can configure a site or a page that explains more about your policies. When you select **Provide a compliance URL for the end user to learn more about your organization's policies (available for Exchange workload only)**, and the user receives a policy tip notification in Outlook Win 32, the *Learn more* link will point to the site URL that you provide. This URL has priority over the global compliance URL configured with [Set-PolicyConfig -ComplainceURL](/powershell/module/exchange/set-policyconfig?view=exchange-ps&preserve-view=true ).

+> You must configure the site or page that *Learn more* points to from scratch. Microsoft Purview doesn't provide this functionality out of the box.

+The intent of **User overrides** is to give users a way to bypass, with justification, DLP policy blocking actions on sensitive items in Exchange, SharePoint, OneDrive, or Teams, so that they can continue their work. User overrides are enabled only when **Notify users in Office 365 services with a policy tip** is enabled, so user overrides go hand-in-hand with Notifications and Policy tips.

+DLP scans email differently than it does SharePoint or OneDrive items. In SharePoint and OneDrive, DLP scans existing items as well as new ones and generates an incident report whenever a match is found. In Exchange, DLP only scans new email messages and generates a report if there's a policy match. DLP ***does not*** scan or match previously existing email items that are stored in a mailbox or archive.

+Currently, Outlook 2013 and later support showing policy tips for policies that contain these conditions:

+All the conditions work for emails authored in the Outlook client app, where they'll match content and enforce protective actions on content. However, showing policy tips to users isn't supported for any conditions that are used apart from the ones mentioned above.

+For E5 licensed users, DLP policy tips will be shown in Outlook 2013 and later for policies that use:

+Custom sensitive information types (SITs) will also be detected in addition to the above out-of-the-box sensitive information types

+|**Outlook On the Web**|:::image type="icon" source="../medi)|

+- DLP policies that are applied to the DLP location support sensitivity labels and sensitive information types as conditions.

+Data from DLP for Power BI can be viewed in [Activity explorer](/microsoft-365/compliance/data-classification-activity-explorer). There are four roles that grant permission to activity explorer; the account you use for accessing the data must be a member of any one of them:

+You define a DLP policy in the Data Loss Prevention (DLP) section of the compliance portal. See, [Design a data loss prevention policy](dlp-policy-design.md#design-a-data-loss-prevention-policy). In the policy, you specify the sensitivity label(s) and/or sensitive information types that you want to detect. You also specify the action(s) that will occur when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI:

+When a dataset is evaluated by DLP and matches the conditions in a DLP policy, the actions defined in the policy are applied. A dataset is evaluated occurs when it is:

+- Published

+- Republished

+- On-demand refreshed

+- Scheduled refreshed

+- If the policy has user notifications configured, it will be marked in the Power BI service with a shield icon to indicate that it matches a DLP policy.

+- Exchange email messages

+- SharePoint

+- OneDrive

+You can use sensitivity labels as conditions on these items and in the scenarios that follow.

+\** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive and SharePoint. So if SharePoint or OneDrive are included as locations in your DLP policy, then labeled attachments sent in Teams will be automatically included in the scope of this condition. Teams as a location does not need to be selected in the DLP policy.

+> DLP's ability to detect sensitivity labels in SharePoint and OneDrive is limited. For more information, see [Enable sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md#limitations).

+Users with the [appropriate permissions](dlp-configure-view-alerts-policies.md#roles) can view Microsoft Purview Data Loss Prevention (DLP) alerts in the DLP Alerts console. However, as alerts are triaged and investigated, you may need to share them with other users who don't, and shouldn't, have full permissions to DLP and the alerts console.

+You can share an alert with users to whom you give limited permissions for using the procedures described in this article.

+In this procedure, you need to create a custom role group for Microsoft Purview. If you haven't worked with permissions, roles, and role groups in Microsoft Purview, see [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions).

+6. The value in the **Time detected** field is the local time. You need to convert that value to UTC time for use in the `creationtime` parameter. There are a number of local-to-UTC time converters available via an internet search.

+8. You can share this link with people in the group you created. They'll be able to access the alert for review and investigation.

+**Test-DlpPolicies** is a cmdlet that allows you to see what DLP policies scoped to SharePoint and OneDrive match/don't match an individual item in SharePoint or OneDrive.

+> - Test-DlpPolicies only works for items that are in SharePoint or OneDrive.

+> - It will only report results for policies that include SharePoint alone, OneDrive alone, or SharePoint and OneDrive in their scope.

+1. Select the file's ellipsis and select **details**.

+1. In the details pane, scroll down and select **Path**. Copy the direct link and save it.

+1. For SharePoint, use the following syntax to get the site ID and save it:

+1. Run the following syntax in the PowerShell window:

+The report is sent to the SMTP address that you passed the Test-DlpPolicies PowerShell command to. There are multiple fields. Here are explanations of the most important ones.

+description: Learn how to use DLP policies for non-Microsoft cloud apps.

+You can scope DLP policies to Microsoft Defender for Cloud Apps to monitor, detect, and take actions when sensitive items are used and shared via non-Microsoft cloud apps.

+To use a DLP policy that's scoped to a specific non-Microsoft cloud app, the app must be connected to Defender for Cloud Apps. For information, see:

+Refer to [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for the procedures to create a DLP policy. Keep these points in mind as you configure your policy:

+- Turn on the **Microsoft Defender for Cloud Apps** location.

+Microsoft Endpoint DLP allows you to monitor [onboarded Windows 10, and Windows 11](device-onboarding-overview.md) and [onboarded macOS devices](device-onboarding-macos-overview.md) running any of the three latest released versions. Once a device is onboarded, DLP detects when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them.

+For full licensing details, see [Microsoft 365 licensing guidance for information protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-loss-prevention-for-exchange-online-sharepoint-online-and-onedrive-for-business)

+1. You can't monitor **Copy to Clipboard** and **Enforcing Endpoint DLP** on Azure Virtual Desktop environments via browsers. However, the same egress operation will be monitored by **Endpoint DLP for actions via Remote Desktop Session (RDP)**.

+1. Citrix XenApp doesn't support access by restricted app monitoring.

+Once a device is onboarded, it should be visible in the devices list, and should start reporting audit activity to Activity explorer.

+**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS devices running any of the latest releases. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-create-deploy-policy.md).

+Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend the following:

+ If the **Always audit file activity for devices** setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv files are always audited, even if the device isn't targeted by any policy.

+After the extension is changed to any other file extension:

+File types are a grouping of file formats. They are utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies. File types are supported for Windows 10/11 devices.

+> The **file extensions** and **file types** options cannot be used as conditions in the same rule. If you want to use them as conditions in the same policy, they must be in separate rules.

+> These Windows versions support **file extensions** and **file types** features:

+Onboarding and offboarding are handled via scripts that you download from the device management center. The device management center has custom scripts for each of the following deployment methods:

+- Local script (up to 10 machines)

+> If you want to try out just-in-time protection, you must register your tenant at [Endpoint JIT Preview](https://aka.ms/EndpointJITPreview).

+Just-in-time protection applies a candidate policy to onboarded Windows 10/11 devices. The candidate policy blocks all egress activities on monitored files until policy evaluation completes successfully. The candidate policy is applied to:

+> Because the candidate policy from just-in-time protection is applied to all files on onboarded devices, it may block user activity on files that won't have a policy applied once evaluation occurs. To prevent this productivity interruption, you should configure and deploy policies to devices before enabling just in time protection.

+1. For this scenario, choose **Privacy**, then **U.S. Personally Identifiable Information (PII) Data Enhanced**, and then choose **Next**.

+1. Give your new policy a **Name** and **Description**.

+1. Under **Admin units**, select **Full directory** and then **Next**.

+1. Toggle the **Status** field off for all locations except **Devices**. Choose **Next**.

+1. On the **Define policy settings** page, accept the default **Review and customize settings from the template** selection and choose **Next**.

+1. On the **Info to protect** page, accept the default values and choose **Next**.

+1. Accept the default **Protection actions** and choose **Next**.

+

+1. On the **Customize access and override settings** page, choose **Audit or restrict activities on Devices**. Accept the remaining default values and choose **Next**.

+1. On the **Policy mode** page, accept the default **Test it out first** and select **Show policy tips while in test mode**. Choose **Next**.

+1. Review your policy and choose **Submit** to create it, then choose **Done**. The new policy appears in the DLP **Policies** list.

+1. In the left navigation pane, choose **Data loss prevention** and then **Activity explorer**.

+1. Try to share a test item containing content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.

+1. Navigate to the data loss prevention [Policies page](https://compliance.microsoft.com/datalossprevention?viewid=policies).

+1. Choose the **U.S. Personally Identifiable Information (PII) Data Enhanced** policy that you created in Scenario 1.

+1. Choose **Edit policy**.

+1. Go to the **Customize advanced DLP rules** page and edit the **Low volume of content detected U.S. Personally Identifiable Inf**.

+1. Scroll down to the **Incident reports** section and toggle **Send an alert to admins when a rule match occurs** to **On**. Email alerts will be automatically sent to the administrator and anyone else you add to the list of recipients.

+ :::image type="content" alt-text="This screenshot shows the option to turn on incident reports." source="../media/endpoint-dlp-2-using-dlp-incident-reports.png":::

+1. Retain all your previous settings by choosing **Next** throughout the rest of the wizard, then **Submit** the policy changes.

+1. Try to share a test item containing content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.

+1. Check the activity explorer for the event.

+1. Open the data loss prevention [Policies page](https://compliance.microsoft.com/datalossprevention?viewid=policies).

+1. Choose **Edit policy**.

+1. Scroll down to the **Audit or restrict activities on Windows device** section and set both options under the **Service domain and browser activities** to **Block with override**.

+ :::image type="content" alt-text="The screenshot shows the set block with override action options." source="../media/endpoint-dlp-6-using-dlp-set-blocked-with-override.png":::

+1. Repeat steps 4-6 for the **High volume of content detected U.S. Personally Identifiable Inf**.

+1. Retain all your previous settings by choosing **Next** through the rest of the wizard,and then **Submit** the policy changes.

+

+ :::image type="content" alt-text=" This screenshot shows the endpoint dlp client blocked override notification." source="../media/endpoint-dlp-3-using-dlp-client-blocked-override-notification.png":::

+1. Check the activity explorer for the event.

+## Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine

+- A Microsoft Azure Active Directory (Azure AD) user account to target and an onboarded Windows 10/11 computer that is already synchronizing a local OneDrive folder with OneDrive cloud storage.

+1. Configure the Endpoint DLP Auto-quarantine settings.

+1. Create a policy that blocks sensitive items that have the **Highly Confidential** sensitivity label.

+1. Create a Word document on the Windows 10/11 device that the policy is targeted to, apply the label, and copy it to the user accounts local OneDrive folder that is being synchronized.

+### Configure Endpoint DLP unallowed app and Auto-quarantine settings

+1. Under **Restricted app groups**, choose **Add restricted app group**. Enter *Cloud Sync apps* as the group name.

+

+1. Select the **Auto-quarantine** box.

+

+1. For the **App name**, enter *OneDrive*. For the **Executable name**, enter *onedrive.exe*, then choose the **+** button. This will disallow onedrive.exe from accessing items with the **Highly Confidential** label.

+1. Choose **Save**.

+ > **'%homedrive%%homepath%\Microsoft DLP\Quarantine'** for the username *Isaiah Langer* will place the moved items in a folder named:

+ > *C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive*

+1. Append a date and time stamp to the original file name.

+

+ > [!NOTE]

+ > DLP auto-quarantine will create sub-folders for the files for each unallowed app. So if you have both *Notepad* and *OneDrive* in your unallowed apps list, a sub-folder will be created for **\OneDrive** and another sub-folder for **\Notepad**.

+1. Choose **Replace the files with a .txt file that contains the following text** and enter the text you want in the placeholder file. For example for a file named *auto quar 1.docx*, you could enter:

+ > %%FileName%% contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy %%PolicyName%%. It was moved to the quarantine folder: %%QuarantinePath%%

+ will leave a text file that contains this message:

+ > auto quar 1.docx contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy. It was moved to the quarantine folder: C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive\auto quar 1.docx.

+1. Choose **Save**.

+### Configure a policy to block OneDrive synchronization of files with the sensitivity label "Highly Confidential"

+1. Navigate to **Data loss prevention"** **Policies** > **Create policy**.

+1. For this scenario, choose **Custom**, then **Custom policy**. Choose **Next**.

+

+ 1. **Name** > *Scenario 4 Auto-quarantine*.

+ 1. Under **Conditions** choose **Add condition** and then **Content Contains**.

+ 1. Enter a group name, for example *Highly-Confidential Sensitivity Labels* and then choose **Add**.

+ 1. Select **Sensitivity labels** then **Highly Confidential** and choose **Add**.

+ 1. Under **Actions** choose **Add an action**.

+ 1. Select **Audit or restrict activities on Windows devices** > **File activities for apps in restricted app groups**.

+ 1. Choose **Add restricted app group** then choose the *Cloud Sync Apps* group you created previously.

+ 1. Choose **Apply a restriction to all activity** > **Block**. For the purposes of this scenario, clear all the other activities.

+ 1. Under **User notifications**, toggle **User notifications** to **On** and under **Endpoint devices** choose **Show users a policy tip notification when an activity** if not already enabled.

+

+ > [!NOTE]

+ > Allow at least an hour for the new policy to be replicated and applied to the target Windows 10 computer.

+1. The new DLP policy appears in the policy list.

+### Test Auto-quarantine on the Windows 10/11 device

+1. Sign in to the Windows 10/11 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential, step 5.

+ > *C:\auto-quarantine source folder*

+1. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the **Highly confidential** sensitivity label; see [Apply sensitivity labels to your files and email in Office](https://support.microsoft.com/topic/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9).

+ :::image type="content" alt-text="This screenshot shows the Data loss prevention user notification message that the OneDrive synchronization action isn't allowed for the specified file and that the file will be quarantined." source="../media/auto-quarantine-user-notification-toast.png":::

+ The message reads:

+ > Opening auto-quarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'

+1. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the effect of this policy. For information on using activity explorer, see [Get started with activity explorer](data-classification-activity-explorer.md).

+With Endpoint DLP and a supported web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Microsoft Edge understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

+When you select **Devices** as a location in a properly configured DLP policy and use a supported web browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. Instead, users will be redirected to use Microsoft Edge, which, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

+You can also audit, block with override, or block these user-upload sensitive items to cloud apps and services through **Sensitive service domains**.

+1. In the Microsoft Purview compliance portal navigate to **Data loss prevention** > **Endpoint DLP settings** > **Browser and domain restrictions to sensitive data** > **Sensitive service domain groups**.

+1. Select **Create sensitive service domain group**.

+1. Enter the **Sensitive service domain** for the group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, `www.contoso.com` for just the top level website, or: \*.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com.

+

+1. In the left navigation pane, select **Data loss prevention** \> **Policies**.

+1. Create a rule that uses the condition **The user accesses a sensitive site from Edge**.

+1. Add the action **Audit or restrict activities on devices**.

+1. Under **Service domain and browser activities**, choose **Upload to a restricted cloud service domain or access from an unallowed browser** and set the action to **Audit only**.

+1. Select **Choose different restrictions for sensitive service domains** and then choose **Add group**.

+

+1. On **the Choose sensitive service domain groups** flyout, select the sensitive service domain group(s) you want, choose **Add** and then choose **Save**.

+1. On the confirmation page, choose **Done**.

+1. Select the user activities you want to monitor or restrict and the actions for DLP to take in response to those activities.

+1. On the **Policy mode** page, choose **Turn it on right away**. Choose **Next** and then **Submit**.

+This scenario is for an unrestricted admin creating a full directory policy.

+Use this scenario when you want to audit or block the following user activities on a website.

+1. To control whether sensitive files can be uploaded to specific domains, select **Add cloud service domain**.

+1. Enter the domain that you want to want to audit or block and choose the **+** button. Repeat for any additional domains. Choose **Save**.

+

+1. Under **Sensitive service domain groups**, choose **Create sensitive service domain group**.

+1. Give the group a name, celect the **Match type** you want (you can select from **URL**, **IP address**, **IP address range**), and enter the URL, IP address, or IP address range to be audited or blocked. When matching a URL, you can add multiple websites to a group and use wildcards to cover subdomains. For example, `www.contoso.com` for just the top level website or \*.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com.

+1. In the left navigation pane, select **Data loss prevention** \> **Policies**.

+1. Create a rule that uses the condition **the user accessed a sensitive site from Edge**, and the action **Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices**.

+1. In the action, under **Sensitive Site Restrictions**, select **Add or remove Sensitive site groups**.

+1. Create and/or select the **Sensitive site groups** you want. Any website under the group(s) you select here will be redirected to Microsoft Edge when opened in Chrome or Firefox (so long as the Microsoft Purview extension is installed).

+1. Select the user activities you want to monitor or restrict and the actions you want Microsoft Purview to take in response to those activities.

+1. Finish configuring the rule and policy and choose **Submit** and then **Done**.

+1. Scroll down to **Sensitive service domain groups**.

+1. Choose **Create sensitive service domain group**.

+ 1. Enter a **Group name**.

+ 1. In the **Sensitive service domain** field, enter the URL for the first website you want to monitor and then choose **Add site**.

+ 1. Continue adding URLs for the rest of the websites you want to monitor in this group.

+ 1. When you are finished adding all URLs to your group, choose **Save**.

+1. Create as many separate groups of URLs as you need.

+1. Create a DLP policy scoped to **Devices**. For information on how to create a DLP policy, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md#create-and-deploy-data-loss-prevention-policies).

+1. On the [Define policy settings page](https://sip.compliance.microsoft.com/datalossprevention/policies) in the DLP policy creation flow, select **Create or customize advanced DLP rules** and then choose **Next**.

+1. On the **Customize advanced DLP rules** page, choose **Create rule**.

+1. Enter a name and description for the rule.

+1. Expand **Conditions**, choose **Add condition**, and then select the **Sensitive info types**.

+1. Under **Content Contains**, scroll down and select the new sensitive information type that you previously chose or created.

+1. Scroll down to the **Actions** section, and choose **Add an action**.

+1. Choose **Audit or restrict activities on devices**

+1. In the **Actions** section, under **Service domain and browser activities**, select **Paste to supported browsers**.1.

+1. Set the restriction to **Audit**, **Block with override**, or **Block**, and then choose **Add**.

+1. Choose **Save**.

+1. Choose **Next**

+1. Choose whether you want to test your policy, turn it on right away, or keep it off, and then choose **Next**.

+1. Choose **Submit**.

+1. Select **Create printer group** and enter a **Group a name**. In this scenario, we'll use `Legal printers`.

+ 1. Friendly printer name

+ 1. USB product ID

+ 1. USB vendor ID

+ 1. IP range

+ 1. Print to file

+ 1. Universal print deployed on a printer

+ 1. Corporate printer

+ 1. Print to local

+1. Navigate to **Data loss prevention** > **Policies**.

+1. Create a rule with the following values:

+ 1. Add a **Condition**: **Content contains** = **Trainable classifiers**, **Legal Affairs**

+ 1. **Actions** = **Audit or restrict activities on devices**

+ 1. Then pick **File activities on all apps**

+ 1. The select **Apply restrictions to specific activity**

+ 1. Select **Print** = **Block**

+ > [!TIP]

+ > The **Allow** action wil record and audit event to the audit log, but not generate an alert or notification.

+1. Select **Save** and then **Next**.

+Network exceptions enable you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the [VPN settings](dlp-configure-endpoint-settings.md#vpn-settings) list you've defined and use the **Corporate network** option. The actions can be applied individually or collectively to these user activities:

+1. Run this cmdlet:

+ ```powershell-interactive

+ Get-VpnConnection

+ ```

+1. Running this cmdlet returns multiple fields and values.

+1. Find the **ServerAddress** field and record that value. You'll use this when you create a VPN entry in the VPN list.

+1. Find the **Name** field and record that value. The **Name** field maps to the **Network address** field when you create a VPN entry in the VPN list.

+1. Open **Data loss prevention** > **Policies**.

+ 1. **Content contains** = **Trainable classifiers**, **Legal Affairs**

+ 1. **Actions** = **Audit or restrict activities on devices**

+ 1. Then pick **File activities on all apps**

+ 1. The select **Apply restrictions to specific activity**

+ 1. Select the actions that you want to configure **Network exceptions** for.

+ > [!IMPORTANT]

+ > When you want to control the activities of a user when they're connected through a VPN *you must* select the VPN and make the VPN the top priority in the **Network exceptions** configuration. Otherwise, if the **Corporate network** option is selected, then that action defined for the **Corporate network** entry will be enforced.

+ > [!CAUTION]

+ > The **Apply to all activities** option will copy the network exceptions that are defined here and apply them to all the other configured specific activities, like **Print**, and **Copy to a network share**. ***This will overwrite the network exceptions on the other activities The last saved configuration wins.***

+1. Review your settings and choose **Submit** and then **Done**.

+Before you even create your first Microsoft Purview Data Loss Prevention (DLP) policy, DLP helps protect your sensitive information with a default policy. This default policy and its recommendation (shown below) help keep your sensitive content secure by notifying you when email or documents containing a credit card number are shared with someone outside your organization. You'll see this recommendation on the **Home** page of the Microsoft Purview compliance portal.

+- Detects when content in Exchange, SharePoint, and OneDrive that contains at least one of the following sensitive information items is shared with people outside your organization.

+ - Content containing Intellectual Property (as matched by our IP, Project Documents, M&A Files, Software Product development files, IT Infra and Network Security Documents, and Strategic planning documents trainable classifiers)

+If you want to change these options later, you can edit the default DLP policy at any time. See the next section for instructions.

+This policy is named **Default DLP policy** and appears under **Data loss prevention** on the **Policies** page of the Microsoft Purview compliance portal.

+The widget, named **Further protect shared content**, appears in the **Recommended for you** section of the **Home** page of the Microsoft Purview compliance portal.

+After you create a DLP policy in the Compliance portal, the policy is deployed to all of the locations included in the policy. If the policy includes Exchange, the policy is synced there and enforced in exactly the same way as a DLP policy created in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.

+If you've created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the compliance portal. However, rules created in the Exchange admin center take precedence. All Exchange mail flow rules are processed first, and then the DLP rules from the compliance portal are processed.

+This means:

+- Messages that are blocked by Exchange mail flow rules won't get scanned by DLP rules created in the compliance portal

+- Messages that are quarantined by Exchange mail flow rules or any other filters run before DLP won't be scanned by DLP

+- If an Exchange mail flow rule modifies a message in a way that causes it to match a DLP policy in the compliance portal, such as adding external users, then the DLP rules will detect it and enforce the policy as needed.

+Also note that Exchange mail flow rules that use the **stop processing** action don't affect the processing of DLP rules in the compliance portal - they'll still be processed.

+Policy tips can work either with DLP policies and mail flow rules created in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> or with DLP policies created in the compliance portal, but not both. The reason for this is that these policies are stored in different locations but policy tips can draw only from a single location.

+If you've configured policy tips in the Exchange admin center, any policy tips that you configure in the compliance portal won't appear to users in Outlook on the web or Outlook 2013 and later until you turn off the tips in the Exchange admin center. This ensures that your current Exchange mail flow rules will continue to work until you choose to switch over to the compliance portal.

+>While policy tips can draw only from a single location, email notifications are always sent, even if you're using DLP policies in both the compliance portal and the Exchange admin center.

+An inactive mailbox that's configured with an auto-expanding archive can't be recovered or restored. If, for compliance reasons, you need to recover data from an inactive mailbox with an auto-expanding archive, use content search to export the data from the mailbox. This action is supported for eDiscovery purposes only, and can't be used as a backup solution. For instructions to use content search for the recovery of data for eDiscovery, see following articles:

+> Support for enabling or disabling search restrictions is only available when your organization isn't in *Legacy* mode. Organizations in *Legacy* mode cannot enable or disable search restrictions. Enabling or disabling search restrictions requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](information-barriers-multi-segment.md) for details.<br><br> Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).

+IB policy is enforced when opening the SharePoint site or content in the SharePoint site. This is based on the IB mode of the site.

+- The user has site access permissions.

+- **Segment associated sites**: When the site's segment matches the user's segment and the user has site access permission. For example, a site with *Explicit* mode.

+- **Non-segmented sites**: When the user has existing access to the content or site. For example, sites with *Open*, *Owner Moderated* or *Implicit* mode. When the user selects the search result to open the content in the site, the user is denied access if they don't match the site's IB policy.

+- Devices (Windows 10/11 endpoint devices)

+To create or edit a DLP policy, use the procedures in [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md).

+- If you are using a named entity SIT, like All Full Names, to help find US Social Security numbers, use larger instance counts such as 10 or 50. Then, when both the person names and the SSNs are detected together, you're more likely to get true positives.

+- You can use [Auto-labeling simulations](apply-sensitivity-label-automatically.md#learn-about-simulation-mode) to test the accuracy of named entity SITs. Run a simulation using a named entity SIT to see what items match the policy. With this information, you can fine tune accuracy by adjusting the instance counts and confidence levels in your custom policies or the enhanced template conditions. You can iterate simulations until the accuracy is where you want it before deploying a DLP or auto-labeling policy containing named entities in production. Here's an overview of the flow:

+1. Identify the SIT or combination of SITs you want to test in simulation mode, either custom or cloned and edited

+1. Identify or create a sensitivity label to be applied when the auto-labeling policy finds a match in Exchange, SharePoint sites, or OneDrive accounts

+1. Repeat until you get the accuracy results you want

+For example, your organization might use Windows Server FCI to identify items with personal data, such as social security numbers, and then classify those documents by setting the **Personally Identifiable Information** property to **High**, **Moderate**, **Low**, **Public**, or **Not PII** based on the type and number of occurrences of personal data found in each document.

+In Microsoft 365, you can create a DLP policy that identifies documents that have that property set to specific values, such as **High** and **Medium**, and then takes an action such as blocking access to those files. The same policy can have another rule that takes a different action if the property is set to **Low**, such as sending an email notification. This way, DLP integrates with Windows Server FCI and can help protect Office documents uploaded or shared to Microsoft 365 from Windows Server-based file servers.

+If you want to apply your DLP policy to content with specific Microsoft 365 labels, don't follow the steps here. Instead, refer to l[Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md#create-and-deploy-data-loss-prevention-policies).

+In SharePoint and OneDrive, the search index is built up by crawling the content on your sites. The crawler picks up content and metadata from the documents in the form of crawled properties. The search schema helps the crawler decide what content and metadata to pick up. (Examples of metadata are the author and the title of a document.) However, to get the content and metadata from the documents into the search index, the crawled properties must be mapped to managed properties. Only managed properties are kept in the index. For example, a crawled property related to author is mapped to a managed property related to author.

+> Be sure to use a managed property name, not a crawled property name, when creating DLP rules using the `ContentPropertyContainsWords` condition. This is important because DLP uses the search crawler to identify and classify sensitive information on your sites, and then stores that sensitive information in a secure portion of the search index. When you upload a document to Office 365, SharePoint automatically creates crawled properties based on the document properties. However, to use an FCI or other property in a DLP policy, that crawled property needs to be mapped to a managed property so that the content with that property is kept in the index.

+First, you need to upload a document with the property that you want to reference in your DLP policy. Microsoft 365 will detect the property and automatically create a crawled property from it. In the next step, you'll create a managed property, and then map the managed property to this crawled property.

+2. In the left navigation pane, choose **Admin centers** \> **SharePoint**. You're now in the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+3. In the left navigation pane, choose **search**. On the **search administration** page, choose **Manage Search Schema**.

+8. Under **Mappings to crawled properties** choose **Add a mapping**.

+9. In the **crawled property selection** dialog box, find and select the crawled property that corresponds to the Windows Server FCI property or other property that you will use in your DLP policy, then choose **OK**.

+10. At the bottom of the page choose **OK**.

+To begin, they follow the steps above to create a managed property in SharePoint Online, which maps to the crawled property created automatically from the FCI property.

+<!-- ### Create the DLP policy by using Security & Compliance PowerShell

+-->

+Completing the steps in the previous sections creates a DLP policy that will quickly detect content with that property, but only if that content is newly uploaded (so that the content's indexed), or if that content is old but just edited (so that the content's re-indexed).

+To detect content with that property everywhere, you'll need to have your library, site, or site collection re-indexed, so that the DLP policy is aware of all the content with that property. In SharePoint, content is automatically crawled when content is edited. Specific SharePoint sites can't be manually re-indexed.

+|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Rolling out: 16.70+ ^\* | Rolling out: 4.2309+ |Rolling out: 4.2309+ |Yes |

+|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup)|Current Channel: 2305+ <br /><br> Monthly Enterprise Channel: 2307+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+Contoso Bank needs to classify the credit card numbers that they issue as sensitive. Their credit cards start with a set of six-digit patterns. They would like to customize the out-of-the-box credit card definition to detect only those credit card numbers starting with their six-digit patterns.

+1. Add teh **starts with** check and add the list of pattern digits (formatted & unformatted). For example to ensure that the SIT only considers credit cards starting with 411111 & 433512 should be considered valid, add the following to the list 4111 11, 4111-11, 411111, 4335 12, 4335-12, 433512.

+Contoso has identified a few nine-digit test numbers that trigger false positive matches in the Social Security Number (SSN) Microsoft Purview data loss prevention (DLP) policy. They would like to exclude these numbers from the list of valid matches SSN matches.

+1. Add the numbers you want to exclude in the **exclude specific values** additional check. For example, to exclude 239-23-532 & 23923532, just adding 23923532 is sufficient.

+Australia-based Contoso finds that phone numbers in email signatures are triggering a match for their Australia company number DLP policy.

+Add a 'NOT' group in supporting elements using a keyword list containing commonly used keywords in email signatures, such as ΓÇ£PhoneΓÇ¥, ΓÇ£MobileΓÇ¥, ΓÇ£emailΓÇ¥, ΓÇ£Thanks and regardsΓÇ¥ etc. Keep the proximity of this keyword list to a smaller value (for instance, 50 characters) for better accuracy. For more information, see [Get started with custom sensitive information types](create-a-custom-sensitive-information-type.md).

+Contoso Bank has noticed some of their employees share credit card numbers with ΓÇÿ/ΓÇÖ as a delimiter, for example, 4111/1111/1111/1111, which the out-of-the-box credit card definition doesn't detect. Contoso would like to define their own regex and validate it using LuhnCheck.

+1. Create a copy of the credit card SIT using the steps in [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)

+1. In the primary element, select **regular expression**

+1. Define the regular expression that includes ΓÇÿ/ΓÇÖ as part of the regular expression; choose **validator** and then select **luhncheck** or **func_credit_card** to ensure the regex also passes the LuhnCheck.

+Many organizations add legal disclaimers, disclosure statements, signatures, or other information to the top or bottom of email messages that enter or leave their organizations. In some cases, emails sent within an organization itself can contain such text. For example, employees may add signatures with motivational quotes, social messages, and so on. A disclaimer or signature can contain the terms that are present in the lexicon of a CC and may generate many false positives.

+"IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient. If you have received this message in error, please forward it to the sender and delete it completely from your computer system."

+"IMPORTANT NOTICE: This e-mail message is intended to be received only by persons *entitled to receive the* confidential **information it may contain**. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient. If you have received this message in error, please forward it to the sender and delete it completely from your computer system."

+"IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient. If you have received this message in error, please forward it to the sender and delete it completely from your computer system."

+We have two instances of the keyword ΓÇ£confidentialΓÇ¥ in this example. If we configure the SIT to ignore instances of this keyword in the disclaimer (underlined as red in the following image), we can achieve ignoring disclaimers in most of the cases.

+1. In the compliance portal, go to **Data classification** \> **Classifiers** \> **Sensitive info types** and choose the sensitive information type from the list that you want to modify. Choose **Edit**.

+1. In the compliance portal, go to **Data classification** \> **Classifiers** \>**Sensitive info types** and choose the sensitive information type that you want to remove from the list.

+ > The built-in rule package that contains the built-in sensitive information types is named *Microsoft Rule Package*. The rule package that contains the custom sensitive information types that you created in the Compliance center UI is named *Microsoft.SCCManaged.CustomRulePack*.

+ - [GCC-High](https://go.microsoft.com/fwlink/?linkid=2137521) - This is specifically for high-security government cloud subscribers

+ > The underlying custom sensitive information type or built-in sensitive information type used to detect the general regex pattern must support detection of the input variations listed with ignoredDelimiters. For example, the built-in U.S. Social Security Number (SSN) sensitive information type can detect variations in the data that include dashes, spaces, or lack of spaces between the grouped numbers that make up the SSN. As a result, the only delimiters that are relevant to include in EDMΓÇÖs **ignoredDelimiters** for SSN data are: dash and space.

+Keyword dictionaries can be used as **Primary elements** or **Supporting elements** in sensitive information type (SIT) patterns. You can edit a keyword dictionary while creating a SIT or in an existing SIT. For example to edit an existing keyword dictionary:

+4. Choose **Done**.

+1. Edit your **edm.xml** file (this file is discussed in the [Create the schema for exact data match based sensitive information types](sit-get-started-exact-data-match-create-schema.md#create-the-schema-for-exact-data-match-based-sensitive-information-types).

+ You're prompted to confirm as follows:

+ You're prompted to confirm the following message:

+1. Open **Compliance center** \> **Data classification** \> **Classifiers**.

+2. Choose **EDM classifiers**.

+

+3. Double-click on the EDM SIT you want to edit.

+4. Choose **Edit EDM sensitive info type** or **Delete EDM sensitive info type** from the flyout.

+

+5. Follow the steps in the wizard to complete your edits or to delete the classifier.

+> For devices to appear in Microsoft Defender Antivirus device health reports they must meet the following pre-requisites:

+>

+> - Device is onboarded to Microsoft Defender for Endpoint

+> - OS: Windows 10, Windows 11, Windows Server 2012 R2/, 2016 R2/ 2019/2022 (non MMA), MacOS, Linux

+> - Sense (MsSense.exe): **10.8210.** \*+. See [Prerequisites](#prerequisites) section for related details.

+>

+- Sense (MsSense.exe): **10.8210.** \*+ΓÇ»

+ > \* Currently up to date reporting is only available for Windows devices. Cross platform devices such as Mac and Linux are listed under "No data available"/Unknown.

+> - The analyzer depends on few extra PIP packages (sh, distro, lxml, pandas) which are installed in the OS when in root to produce the result output. If not installed, the analyzer will try to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).

+>

+> >[!WARNING]

+> >Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.

+1. Identify or create a user who's a member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator), or [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator) roles in Azure Active Directory. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for [Microsoft Teams](/office365/servicedescriptions/teams-service-description). You need to know the password.