A simple, four-step way to turn on DLP. Start quiet, add warnings, then protect, and only block what truly needs it. Each mode is tested live before moving to the next — no user impact until you have the signal to justify it.
At a Glance
| Mode | Goal | User sees |
|---|
| 1. Monitor | Understand the data in motion. Build understanding of business process. | Nothing. No tip, no email. |
| 2. Educate | Change user behavior. Teach safe handling before any enforcement. | A policy tip, then a short coaching nudge. |
| 3. Protect | Secure the data automatically, with zero friction for the sender. | Nothing extra. Recipient may see an encrypted-mail notice. |
| 4. Block | Stop the highest-risk data from ever leaving the organization. | A block message, or a request for justification. |
How the Playbooks Fit Together
Start with the Monitor-only DLP Policy across all workloads (step 1). Once you have 2–4 weeks of clean signal in Activity Explorer, the Exchange Online Baseline DLP implements steps 2–4 for email: a policy-tip warning (Educate), automatic encryption (Protect), and a high-volume block with justification (Block). Extend the same pattern to SharePoint, OneDrive, and Teams as each mode proves out.
Monitor
Watch quietly. Nothing shown to users.
The rule runs in the background. It detects sensitive data but shows nothing to the user — pure signal gathering while you tune SIT counts and confidence levels.
Mode Goal
Understand the data in motion. Build understanding of business process.
User sees
Nothing. No tip, no email.
Steps
- Build one policy to monitor all sharing of sensitive data.
- Turn on detection only — no tip, no block.
- Send a live test to confirm it fires in Activity Explorer.
- Baseline for 2–4 weeks before moving to Educate.
Build it
Monitor-only DLP Policy — Ready-to-build monitor policy for EXO, SPO, ODB, and Teams — two SIT volume tiers plus an IT Secrets rule.
Educate
Warn users. Mail still sends.
Users now get a warning. First a policy tip in Outlook, optionally with an override-and-justify path, so people learn what to do instead — without stopping their work.
Mode Goal
Change user behavior. Teach safe handling before any enforcement.
User sees
A policy tip, then a short coaching nudge.
Steps
- Turn on the policy tip. Test it live. Run for about a week.
- Keep the tip text short and plain-language.
- Review override justifications in Activity Explorer.
- Repeat for each data type.
Protect
Encrypt sensitive mail automatically.
Sensitive mail is encrypted automatically before it leaves the company. Nothing slows down for the sender — the control is applied silently in transit.
Mode Goal
Secure the data automatically, with zero friction for the sender.
User sees
Nothing extra. Recipient may see an encrypted-mail notice.
Steps
- Turn on automatic encryption (Purview Message Encryption) for the rule.
- Test it live and confirm the external recipient can open it.
- Check that automated systems and shared mailboxes still work.
Block
Stop the highest-risk data only.
Reserved for the few data types that truly cannot leave. The message is stopped, or the user must justify sending it — always with an education nudge explaining why.
Mode Goal
Stop the highest-risk data from ever leaving the organization.
User sees
A block message, or a request for justification.
Steps
- Pick only the highest-risk data types (e.g. bulk SSN exfiltration).
- Start with block + justification, not a silent hard block.
- Carve out legitimate business exceptions before enforcing.
- Test it live before turning it on for everyone.
Build it
Exchange Online Baseline DLP — See the SSN – High Volume Block rule: block with education, fingerprint and security-group exceptions.