Configure DLP for Microsoft Teams

Data Loss Prevention is not a new feature in Office 365. But recently Microsoft announced that they are extending Data Loss Prevention to Microsoft Teams. Let’s give that a try!

What is this feature?

Basically if users are sharing specific content on Office 365 they can be notified that it’s against company policy or it can also be blocked.

Below is an example of a user who tried to share a SSN and is blocked.

The other team members actually won’t see the shared content.

How do I set this up?

Of course you can do this with PowerShell. You will need to use the New-DlpCompliancePolicy and New-DlpComplianceRule cmldets to create DLP policies.

I have created an example script which creates a DLP Policy for all Teams in a tenant. This policy will check for SSN information. When it finds a match it will block the content.

MailNickName, huh what?!

One of the things which is nice about DLP is that you can set the policy to only specific objects. In Microsoft Teams you can apply them to specific teams with the -Teamslocation parameter.

After a bit of trial and error I found out that the New-DlpCompliancePolicy cmdlet expects the MailNickName attribute of the corresponding Group.

And of course it takes some time for the DLP policies to be processed by Office 365 so be aware of that. Happy testing!