Sensitivity Labels DLP’s Excellent Adventure

Last Updated on June 30, 2021 by rudyooms

In this blog, I’ll be talking about using DLP in combination with sensitivity labels and device protection. A perfect addition to labeling your data with sensitivity labels.

Labeling your data may already be the best option you have to protect your data but adding an additional barrier by making sure data can’t be moved is even more excellent! Yeah!

Microsoft 365 E5/A5 compliance license or the information protection and governance add-on is the “only” big requirement you need to start using this feature. It would be great if this feature was added to the Microsoft 365 business premium license as well. Of course, AAD or Hybrid joined is also a necessity.

So where to begin? You need to start onboarding your devices. This can easily be done within the Compliance center. In the example I use, I already pressed “Turn on device onboarding”.

The next thing you need is the same sensor device configuration as you’ve used for onboarding devices to Windows defender ATP.

When your devices are enrolled you can create a new DLP policy. Choose “Devices” as the location to apply the policy.

After you selected the “devices” location you can change the rule settings.  I selected the “sensitivity labels” condition and selected an existing label.

Don’t forget to dropdown the “action” menu to start auditing or restricting activities on windows devices.

You can also set some end user and admin notifications, to make sure user actions are being noticed.

Of course, you can also use Cloud App Security to add some monitoring! It’s a shame you can not use MCAS to create a session policy to block it.

And you are done! That’s it.

Wait some time to let the magic happen. Go create a new word document and set your sensitivity label you selected earlier. When you have your document labelled, try to copy it to a network share or USB media.  A new toast notification will appear and as you can see your action is blocked.


Until today I was not a big fan of using DLP. Blocking credit card information can lead to many false positives. But using DLP with labels works really well. It’s easy to set up and use.  For now, though, it’s still possible to zip the files and copy them, so it’s not perfect yet… But supporting archive files is targeted for 2021. I also really hope this feature will be added to the Microsoft 365 business premium license soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  31  =  41