This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
--> Identify data protection and governance risks for Microsoft 365 and Copilot
--> Identify and respond to alerts generated by Microsoft Purview Data Loss Prevention (DLP)
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
Microsoft Purview Data Loss Prevention (DLP) helps organizations prevent the accidental or intentional exposure of sensitive information. DLP continuously monitors user activities across Microsoft 365 services and generates alerts when users violate data protection policies.
For the AB-900 exam, you should understand:
- What Microsoft Purview DLP alerts are
- When DLP alerts are generated
- How administrators review alerts
- Alert severity and prioritization
- Investigation workflows
- How to respond to DLP alerts
- Integration with other Microsoft Purview and Microsoft Defender solutions
- Best practices for managing alerts
What Is Microsoft Purview Data Loss Prevention (DLP)?
Microsoft Purview Data Loss Prevention (DLP) is a Microsoft Purview solution that helps organizations identify, monitor, and protect sensitive information from unauthorized sharing or exposure.
DLP policies monitor data stored in Microsoft 365 services such as:
- Microsoft Exchange Online
- Microsoft SharePoint Online
- Microsoft OneDrive for Business
- Microsoft Teams
- Microsoft Defender for Cloud Apps
- Endpoint devices (with Endpoint DLP)
- Power BI (supported scenarios)
When a user performs an action that violates a DLP policy, the system can generate an alert.
What Is a DLP Alert?
A DLP alert is a notification generated when a DLP policy detects activity that violates organizational data protection rules.
Alerts help administrators:
- Detect risky user behavior
- Investigate policy violations
- Respond to incidents quickly
- Reduce data leakage
- Demonstrate compliance
Alerts are one of the primary tools compliance administrators use to monitor organizational data protection.
When Are DLP Alerts Generated?
Alerts are generated when users perform actions that violate configured DLP policies.
Examples include:
- Emailing confidential documents externally
- Uploading sensitive files to unauthorized cloud storage
- Copying protected files to USB devices
- Printing highly confidential documents
- Sharing files publicly
- Downloading sensitive files from SharePoint
- Copying confidential information into unmanaged applications
Not every policy generates an alert. Alert generation depends on the configured policy actions.
How DLP Detects Sensitive Information
Before generating alerts, DLP identifies sensitive content using several methods.
Sensitive Information Types (SITs)
Built-in detectors identify information such as:
- Credit card numbers
- Social Security numbers
- Passport numbers
- Driver’s license numbers
- Bank account numbers
- Tax identification numbers
- Healthcare identifiers
Sensitivity Labels
Microsoft Purview Information Protection labels can identify:
- Public
- General
- Confidential
- Highly Confidential
Policies can generate alerts whenever protected documents are shared improperly.
Trainable Classifiers
Machine learning can recognize documents such as:
- Resumes
- Contracts
- Source code
- Financial reports
- Legal documents
Exact Data Match (EDM)
Organizations can detect exact records such as:
- Customer databases
- Employee IDs
- Payroll records
Components of a DLP Alert
Each alert contains detailed information to help administrators investigate the incident.
Typical alert details include:
- User involved
- Date and time
- Policy name
- Rule triggered
- Sensitive information detected
- File name
- File location
- Service involved
- Severity level
- User activity
- Recommended actions
Alert Severity
DLP alerts are assigned severity levels to help prioritize investigations.
Typical levels include:
Low
Examples:
- Minor policy violations
- First-time incidents
- Low-risk data exposure
Medium
Examples:
- Multiple policy violations
- Larger quantities of sensitive information
- Repeated risky behavior
High
Examples:
- Large-scale data exfiltration
- Highly confidential information
- Repeated attempts to bypass policies
- Executive or privileged account violations
Administrators generally investigate High severity alerts first.
Reviewing DLP Alerts
Administrators review alerts in the Microsoft Purview portal.
The alert dashboard allows administrators to:
- View all active alerts
- Filter alerts
- Search alerts
- Sort by severity
- Review alert details
- Assign alerts
- Track investigation status
Information Available During Investigation
Selecting an alert provides additional information.
Examples include:
User Information
- Username
- Department
- Device
- Location
Activity Timeline
Investigators can review:
- File creation
- Downloads
- Sharing
- Email activity
- Printing
- USB transfers
Policy Information
The alert identifies:
- Which DLP policy triggered
- Which rule matched
- Sensitive information detected
- Confidence level
File Details
Investigators may see:
- File name
- Location
- File owner
- Label applied
- Number of sensitive items detected
Responding to DLP Alerts
After reviewing an alert, administrators choose an appropriate response.
Possible actions include:
Close the Alert
If the activity is determined to be legitimate or a false positive.
Investigate Further
Review:
- User behavior
- Related alerts
- Audit logs
- Endpoint activities
Escalate
Escalate high-risk alerts to:
- Security teams
- Compliance officers
- Legal departments
- Human Resources
Adjust Policies
If alerts indicate:
- Too many false positives
- Policy gaps
- Incorrect thresholds
Administrators can modify DLP policies accordingly.
Educate Users
Many violations are accidental.
Organizations often:
- Notify users
- Provide training
- Improve awareness
User Notifications (Policy Tips)
Instead of immediately blocking users, DLP can display Policy Tips.
Policy Tips inform users that:
- Sensitive information was detected
- Their action violates policy
- They should modify their behavior
Examples include:
- “This email contains confidential information.”
- “Sharing this document externally violates company policy.”
Policy Tips reduce accidental violations.
Alert Lifecycle
A typical DLP alert progresses through several stages.
- Sensitive data is detected.
- DLP policy evaluates the activity.
- Alert is generated.
- Administrator reviews the alert.
- Investigation begins.
- Response action is taken.
- Alert is closed.
Integration with Microsoft Purview Solutions
DLP works closely with other Microsoft Purview capabilities.
Microsoft Purview Information Protection
Sensitivity labels provide additional context for DLP decisions.
Example:
A “Highly Confidential” document shared externally generates a higher-priority alert.
Microsoft Purview Insider Risk Management
Repeated DLP violations can contribute to insider risk investigations.
Example:
An employee repeatedly emailing confidential documents externally may trigger both DLP and Insider Risk Management alerts.
Microsoft Purview Audit
Audit logs provide additional evidence.
Investigators can review:
- File access
- Sharing history
- Administrative changes
- User activities
Microsoft Purview Compliance Manager
Compliance Manager helps organizations improve their compliance posture by recommending controls that reduce DLP-related risks.
Integration with Microsoft Defender
DLP integrates with Microsoft Defender solutions.
Examples include:
- Endpoint DLP
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
These integrations provide additional context, including:
- Device information
- Endpoint activities
- Application usage
- USB activity
- Browser uploads
Common DLP Alert Scenarios
Scenario 1
A user emails a spreadsheet containing hundreds of customer credit card numbers to a personal Gmail account.
Result:
A High severity DLP alert is generated.
Scenario 2
An employee uploads payroll records to an unauthorized cloud storage provider.
Result:
A DLP alert identifies unauthorized data movement.
Scenario 3
A contractor copies confidential engineering documents onto a USB drive.
Result:
Endpoint DLP generates an alert.
Scenario 4
A user attempts to publicly share a SharePoint folder containing confidential HR records.
Result:
The sharing attempt triggers a DLP alert.
Best Practices
Organizations should:
- Create well-designed DLP policies
- Use sensitivity labels
- Enable Policy Tips
- Review alerts regularly
- Prioritize High severity alerts
- Investigate repeated violations
- Reduce false positives through policy tuning
- Integrate DLP with Insider Risk Management
- Monitor trends over time
- Train users on proper data handling
Exam Tips
For the AB-900 exam, remember the following:
- DLP alerts are generated when users violate DLP policies.
- Alerts help administrators detect potential data leakage.
- Alerts contain details about users, files, policies, and detected sensitive information.
- Severity levels help prioritize investigations.
- Administrators can investigate, escalate, close, or remediate alerts.
- DLP integrates with Microsoft Purview Information Protection, Insider Risk Management, Audit, Compliance Manager, and Microsoft Defender.
- Policy Tips help reduce accidental policy violations.
- Endpoint DLP extends protection to Windows devices.
10 Practice Exam Questions
Question 1
A user attempts to email a document containing multiple credit card numbers to an external recipient. A Microsoft Purview DLP policy blocks the email.
What additional action can the policy perform?
A. Remove the user’s Microsoft 365 license
B. Disable the user’s account
C. Delete the user’s mailbox
D. Automatically create a DLP alert for administrators
Correct Answer: D
Explanation: DLP policies can generate alerts whenever sensitive information triggers configured policy rules, allowing administrators to investigate the incident.
Question 2
Which information is typically included in a Microsoft Purview DLP alert?
A. The organization’s annual revenue
B. The user involved, policy triggered, sensitive information detected, and activity details
C. The user’s payroll information
D. The organization’s Active Directory schema
Correct Answer: B
Explanation: DLP alerts include detailed information such as the user, file, policy, rule, sensitive information detected, and the action that triggered the alert.
Question 3
An administrator wants to focus first on the most critical potential data leakage incidents.
Which alert characteristic should they prioritize?
A. Oldest alert
B. Alphabetical order
C. Alert severity
D. File size
Correct Answer: C
Explanation: Alert severity (Low, Medium, High) helps administrators prioritize investigations based on potential business impact.
Question 4
What is the primary purpose of Policy Tips in Microsoft Purview DLP?
A. Replace DLP policies
B. Notify users that their actions may violate data protection policies
C. Automatically encrypt all files
D. Prevent administrators from reviewing alerts
Correct Answer: B
Explanation: Policy Tips educate users in real time about potential policy violations, reducing accidental exposure of sensitive information.
Question 5
Which Microsoft Purview solution commonly works with DLP by applying sensitivity labels to documents?
A. Microsoft Purview Information Protection
B. Microsoft Intune
C. Microsoft Planner
D. Microsoft Bookings
Correct Answer: A
Explanation: Information Protection applies sensitivity labels that DLP can use when evaluating and protecting sensitive content.
Question 6
What is an appropriate response after reviewing a DLP alert that is determined to be a false positive?
A. Delete the user’s Microsoft account
B. Close the alert and, if necessary, refine the DLP policy
C. Block all external email permanently
D. Remove all DLP policies
Correct Answer: B
Explanation: Administrators should close false-positive alerts and may adjust policy conditions to reduce unnecessary alerts.
Question 7
Which scenario is most likely to generate a High severity DLP alert?
A. A user changes their Teams profile picture
B. A user updates a calendar meeting
C. A user downloads a public marketing brochure
D. A user sends a file containing hundreds of customer Social Security numbers to a personal email account
Correct Answer: D
Explanation: Attempting to send large amounts of highly sensitive personal information externally is a common High severity DLP event.
Question 8
Which Microsoft solution provides additional endpoint information, such as USB activity, that can complement DLP investigations?
A. Microsoft Defender for Endpoint
B. Microsoft Word
C. Microsoft Visio
D. Microsoft Lists
Correct Answer: A
Explanation: Microsoft Defender for Endpoint provides endpoint telemetry that enhances DLP investigations, especially for Endpoint DLP scenarios.
Question 9
What is the first event that typically occurs in the DLP alert lifecycle?
A. An administrator closes the alert
B. A DLP policy detects sensitive information during a monitored user activity
C. Human Resources opens an investigation
D. The user account is suspended
Correct Answer: B
Explanation: The process begins when DLP identifies sensitive information and evaluates the activity against configured policies. If a violation is detected, an alert can be generated.
Question 10
Why would an organization integrate Microsoft Purview Insider Risk Management with DLP?
A. To replace all DLP policies
B. To reduce Microsoft 365 licensing costs
C. To correlate repeated DLP violations with broader patterns of risky user behavior
D. To manage Windows software updates
Correct Answer: C
Explanation: Insider Risk Management can use repeated DLP incidents as signals when identifying users who may present elevated insider risks, helping investigators understand behavior patterns rather than isolated events.
Go to the AB-900 Exam Prep Hub main page
The Data Community 