DLP Policies and Sensitive Info Types
Key Takeaways
- Microsoft Purview DLP policies detect sensitive information types (SITs) across Exchange, SharePoint, OneDrive, Teams, devices, and Microsoft 365 Copilot interactions.
- Built-in SITs cover PII, financial data, and health records; custom SITs and trainable classifiers extend detection to organization-specific patterns.
- DLP can block Copilot from processing, summarizing, or surfacing content that matches configured sensitive information types.
- Adaptive Protection dynamically tightens DLP enforcement for users with elevated Insider Risk Management scores that may include Copilot activity signals.
- Device access restrictions for Copilot are enforced through Conditional Access and Intune — not through DLP policies.
- Activity explorer reports user activities on labeled/sensitive content; Data Explorer helps locate where sensitive information resides.
Quick Answer: Microsoft Purview DLP policies detect sensitive information types (SITs) — patterns such as credit card numbers or national IDs — and can block Copilot from processing or surfacing matching content. Device restrictions use Conditional Access, not DLP.
Exam Context
DLP is one of the most testable Purview capabilities on AB-900 because it directly intersects with Microsoft 365 Copilot. Examiners want you to know where DLP applies, what it detects, and what it cannot do. The wrong answers often assign DLP jobs that belong to sensitivity labels (watermarking), Conditional Access (device blocking), or Communication Compliance (harassment detection).
What DLP Does
Data Loss Prevention (DLP) policies identify, monitor, and automatically protect sensitive information across Microsoft 365 workloads. When content matches a rule, DLP can:
- Block sharing or processing outright.
- Warn users with a policy tip explaining the violation.
- Encrypt in some configurations (often paired with sensitivity labels).
- Generate alerts for compliance administrators.
For Copilot specifically, DLP extends to AI interactions: if a user prompt or retrieved document contains configured sensitive information types, DLP can prevent Copilot from processing, summarizing, or surfacing that content.
Sensitive Information Types (SITs)
An sensitive information type is a pattern Purview uses to detect regulated or confidential data. Categories AB-900 emphasizes:
| Category | Examples | Typical regulatory driver |
|---|---|---|
| Financial | Credit card numbers, bank account numbers | PCI-DSS |
| Personal (PII) | Social Security numbers, passport numbers | GDPR, state privacy laws |
| Health | Medical record numbers, HIPAA-related patterns | HIPAA |
| Credentials | Passwords, API keys in clear text | Security policy |
Microsoft ships 100+ built-in SITs. Organizations can also create:
- Custom SITs — regular-expression or keyword patterns for proprietary data formats.
- Exact data match (EDM) — detect values from an uploaded database of sensitive tokens.
- Trainable classifiers — machine learning models trained on sample documents (for example, merger agreements).
On the Exam: Trainable classifiers detect document types; SITs detect data patterns. Both can trigger auto-labeling or DLP, but the detection mechanism differs.
DLP Policy Locations Relevant to Copilot
When authoring a DLP policy, administrators choose locations where rules apply:
| Location | Copilot connection |
|---|---|
| Exchange email | Copilot in Outlook reads mailbox content subject to DLP |
| SharePoint / OneDrive | Source documents Copilot retrieves via Graph |
| Teams chat and channel messages | Copilot in Teams conversations |
| Microsoft 365 Copilot | Direct evaluation of prompts and AI-generated output |
| Endpoint devices | Content in Office desktop apps before upload |
Including the Microsoft 365 Copilot location is essential for AI-era governance. A policy that only covers Exchange will not protect Copilot Chat prompts.
Policy Actions and Policy Tips
A typical DLP rule contains:
- Conditions — which SITs, how many instances (for example, 10+ credit cards), confidence level.
- Actions — block, notify, generate incident report.
- User overrides — whether users can justify and bypass (often disabled for highly regulated data).
Policy tips appear inline in Office apps: "This message contains credit card numbers and cannot be sent." In Copilot, an equivalent block might prevent summarizing a spreadsheet column of SSNs even though the user can open the file manually — DLP adds a compliance gate at AI processing time.
DLP vs Other Controls (High-Yield Comparison)
| Requirement | Correct tool |
|---|---|
| Block Copilot on non-compliant personal phones | Conditional Access + Intune compliance |
| Encrypt a downloaded finance report | Sensitivity label |
| Detect harassment in Copilot prompts | Communication Compliance |
| Stop Copilot summarizing files with 10+ SSNs | DLP policy |
| Discover which sites overshare to guests | SharePoint Data Access Governance reports |
This table resolves many AB-900 distractors. If the stem mentions devices, think Conditional Access — not DLP.
Adaptive Protection and Copilot Signals
Adaptive Protection connects Insider Risk Management user risk levels to DLP enforcement. When a user's risk score rises — potentially driven by unusual Copilot data retrieval volumes — DLP can automatically apply stricter actions for that user without rewriting the base policy.
Adaptive Protection does not permanently block Copilot or auto-author new policies from AI recommendations. It dynamically tightens existing DLP enforcement for elevated-risk users. Permanent access removal remains a manual admin decision.
Purview Activity Explorer and Data Explorer
Two Purview investigation surfaces appear on AB-900 skills lists and are easy to confuse with DLP policy configuration itself.
| Tool | Primary question it answers | Typical AB-900 use |
|---|---|---|
| Activity explorer | What did users do with labeled or sensitive content? | Review label applications, DLP matches, and user activities reported for sensitive information |
| Content / Data explorer (sensitive information discovery views) | Where does sensitive information live? | Identify locations and volumes of sensitive info types across SharePoint, OneDrive, Exchange, and Teams |
Activity explorer is the go-to when a stem asks you to identify user activities related to sensitivity labels, DLP policy matches, or how people interacted with protected content. Filter by activity, location, user, or label to investigate oversharing before or after Copilot rollout.
Data Explorer / sensitive-info discovery views help admins find where sensitive information exists so they can prioritize labeling and DLP. On the exam, if the goal is discovery of sensitive content locations, choose Data Explorer-style discovery; if the goal is auditing what users did with that content, choose Activity explorer.
On the Exam: "Identify user activities reported by activity explorer" maps to Activity explorer. "Identify sensitive information" in a discovery sense maps to Data Explorer / content exploration, not to creating a new retention label.
Worked Scenario: Copilot + PHI Block
A pharmaceutical company enables Copilot for research staff. Compliance requires that Copilot never summarize clinical trial patient identifiers. The administrator should:
- Confirm HIPAA-related SITs are in use (built-in health patterns).
- Create a DLP policy scoped to SharePoint, OneDrive, Teams, and Microsoft 365 Copilot.
- Set action to block when SITs match in Copilot processing.
- Enable Simulation mode first to measure false positives.
- Pair with sensitivity labels on trial document libraries for defense in depth.
Choosing to disable Copilot tenant-wide is disproportionate; targeted DLP with Copilot location scoped is the exam-aligned answer.
Implementation Tips for Administrators
- Start with Simulation mode — logs matches without blocking.
- Tune instance counts to reduce false positives (one SSN in a test doc vs bulk export).
- Document override justification settings — regulators often prohibit bypass for PCI data.
- Review DLP incidents alongside Purview AI Hub for centralized AI compliance visibility.
Study Checklist
- Define sensitive information types and name three built-in categories.
- Explain how DLP integrates with Microsoft 365 Copilot.
- List at least four DLP policy locations.
- Distinguish DLP from sensitivity labels and Conditional Access.
- Describe Adaptive Protection's relationship to Insider Risk Management.
How does Microsoft Purview DLP integrate with Microsoft 365 Copilot?
What is Microsoft Purview Adaptive Protection?
An organization must stop employees from using Copilot on unmanaged personal phones. Which control should they use?