According to Varonis latest report 53% of companies had over 1000 sensitive files open to every employee. The possibility to lose or get these files exposed to external actor is getting high everyday. On the other hand IBM mentioned that the average cost of data breach worldwide is 3.9 Million US$. There is no doubt that we are living in the era of the data where hackers and malicious actors are trying to access. More and more companies are investing in different technologies to prevent data leakage or data loss, however this is very difficult nowadays with the cloud presence. Back in the old days it was easy to control all your egress points but nowadays with the cloud, remote connectivity, bring your own device (BYOD), online chat and other collaboration tool it becomes headache to protect your data. This post will explain how you can step by step apply Microsoft Data loss prevention on data copied to USB.


What is Microsoft 365 Data Loss Prevention?

Microsoft 365 Data Loss prevention is the solution provided by Microsoft to protect all corporate sensitive information from being leaked and/or disclosed either intentionally or accidentally. This will also help organizations to comply with main industry regulations and standards as GDPR for instance and other privacy and regulatory standards. In order to support the current cloud first strategy adopted by several organizations, Microsoft Data Loss Prevention support different locations as mail/Exchange, SharePoint, Onedrive (Cloud Online storage), Microsoft Teams (Chatting and Collaboration) and recently Windows 10 devices added to the scope.


Sensitive information protected using the Microsoft Data Loss prevention can be common types and formats of PII (Personally identifiable information) data or Financial information (Credit cards), health information and so on. Inside the tool you can easily pick different well known templates as European or US data and also you can define your own sensitive types by creating custom templates based on specific requirements or keywords. However from my point of view the best thing regarding Data Loss Prevention is the integration provided with sensitivity labels created in your organization using Microsoft Information Protection.


Microsoft Information protection which was previously known as Azure Information Protection (AIP) allows you to create labels and use them to classify and protect your documents. In my demo tenant i created three labels (Public, Internal and Confidential). As the name implies, Public is data accessible to everyone while internal is only for my organization staff. However confidential are my crown jewels data that i need to protect and yes as you have probably guessed need to ensure data loss prevention applies on it.


Endpoint Data Loss Prevention

Microsoft recently extended the Data loss Prevention features to Windows 10 endpoints and devices. Its available now in public preview to all Microsoft Defender ATP customers. Endpoint Data loss prevention offers multiple actions on your endpoint ranging from monitoring to blocking as shown below.


Microsoft Data Loss Prevention endpoint actions


This blog post covers the copying of sensitive files (Data and Files labeled and classified as confidential) to any removable media. This scenario maps to different real life cases as employee off-boarding to ensure no data is copied to removable media. Key thing to remember is that Data Loss prevention or sometime names are Data Leakage prevention works hand in hand with your Information classification program at your Organization.


Windows 10 Endpoints Requirements and Pre-requisites

In order to setup and implement this scenario, you need to check several points:

  1. Ensure you have the proper license (M365 E5 Compliance or Information Governance and Protection License)
  2. All Windows devices should be Windows 10 – 1809 or higher (This demo runs on Windows 10 2004)
  3. All Windows 10 devices must be AAD (Azure AD) joined or Hybrid Azure AD joined (If you are running hybrid with on-premise Active Directory). You can easily check or Join Azure ADAzure AD connect AAD Join
  4. Device Monitoring must be enabled and all devices on boarded to the Microsoft 365 Compliance portal (That’s why you need the license)


For more details on the Data Prevention Loss requirements check Microsoft documentation.


How to Enable Device Monitoring?

In order to enable device monitoring and onboard your devices, you need to apply the following:


  1. Login on Microsoft Compliance Portal
  2. Settings – Device on boarding (Preview)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  M365 Compliance Device Onboarding
  3. Turn on Device Monitoring (If you have the proper license)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Turn on Device Onboarding                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Endpoint Device Onboarding DLP
  4. In case your devices are already on boarded to Microsoft defender ATP they will appear automatically otherwise you need to open on-boarding section and add them using one of the deployment methods (Yes these are the same as Microsoft Defender ATP)

endpoint Deployment




How to Create Data Loss Prevention USB Data Copy Policy?

Now the final step in our solution setting is creating the Data Loss Prevention Policy to block copying confidentially labelled data to any removable media. In order to achieve this goal you start creating your policy as follows:


  1. In the compliance portal, go to Policies – Data Loss Prevention – Create Policy (Preview)
  2. You can either start with a template (for example GDPR or Health policy) or create your own custom. For our use case, I am going to create a custom policy.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        DLP_Custom_Policy
  3.  Name your policy and then pick the location to apply this policy. again for our use case, i am going to pick Devices (Preview)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Microsoft Data Loss Prevention Device Location
  4. Create the custom rule that will trigger this policy.
  5. Main condition is having a content that contains confidential sensitivity labels.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    DLP Rule Conditions
  6. The Action is to block the copy of data to removable media (USB). I can either choose to Audit only, block or block with override which gives user the ability to override this restriction.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      DLP Rule Actions
  7. Set notifications and incident mails to get triggered once these conditions are met.
  8. Turn on the policy but keep in mind that according to Microsoft it might take 1 hour for the policy to take effect. Don’t expect once you hit submit that it will be up and running.
  9. Review your settings and Submit.


DLP Policy Settings


Putting our new policy in action

After waiting for an hour as per Microsoft recommendation, i created a new word file and labelled it as confidential. Next was trying to copy this file to a removable disk and checking the Data Loss Prevention response. quick point to note here that data loss prevention works on MIME (Multipurpose Internet Mail Extensions) types so renaming or changing the word file extension will still block it and won’t be used as a backdoor.


Create Confidential file


DLP Block copy to USB


Next thing is to check the Activity explorer inside our compliance portal to check all details and all actions performed on your sensitive files and data. Activity explorer provides full visibility and insights on all actions. Filtering on specific dates and actions can be implemented as well.


M365 Compliance Activity Explorer





Microsoft 365 Compliance Data Loss prevention is essential and integral part in your Information protection strategy. First you start by identifying your data, classifying and labeling it. Secondly you need to protect and apply appropriate controls as per your classification. finally you should monitor your data especially when shared externally. Next step is to give it a try and extend the data loss prevention to other locations as mail, SharePoint, Onedrive and Teams. Another exciting feature is enforce data loss prevention polices on data uploaded to the internet by installing the new Edge browser (Chromium) on your Windows 10 endpoints.