Data Loss Prevention in Microsoft 365: The 2026 Purview Companion Guide

The landscape of data security within the Microsoft ecosystem has evolved significantly since Ben Stegink's 2024 session. The disparate compliance centers of the past have unified into a singular, AI-driven command center. For practitioners implementing Data Loss Prevention (DLP) across Microsoft Teams, SharePoint, Exchange, and beyond, the mechanics have shifted from reactive, static rules to proactive, adaptive intelligence.

This report serves as an authoritative 2026 companion guide to modernize your DLP architecture. It provides exact, step-by-step modernization strategies for building the original session's demonstrations today. We will rely heavily on the latest March 2026 interface paradigms, incorporating automated AI agents, dynamic scoping, and advanced endpoint controls. You will not find generic surveys here; this is a practical build guide for the modern enterprise.

What's Changed Since This Session

The transition from 2024 to March 2026 brought a total rebranding and structural overhaul to Microsoft's compliance tools. The legacy Microsoft 365 Compliance Center is now fully retired and relocated. All configurations now reside within the unified Microsoft Purview portal.   

The most profound shift is the deep integration of generative AI. Microsoft Security Copilot and specialized AI agents now automate tedious administrative tasks. They handle everything from triaging alerts to generating natural language policy filters. The table below outlines the core platform shifts you need to understand before building.   

  Microsoft Purview DLP Enforcement Perimeters 2026

The unified Microsoft Purview portal now projects DLP policies across a vastly expanded perimeter, moving beyond basic Microsoft 365 workloads to encompass generative AI prompts, Fabric datasets, and cross-platform endpoints.

The unified experience streamlines navigation for all Purview solutions. You no longer have to hunt through legacy Exchange admin centers or scattered security portals. The new architecture centers on the data itself, identifying where it resides and whether it is adequately protected.   

How to Build This Today

Scenario 1: Teams and SharePoint DLP Configuration

The session showed you navigating the Microsoft 365 Compliance Center to create and customize a DLP policy for Teams (chats, channels) and SharePoint (sites, files). It demonstrated selecting locations, sensitive info types (e.g., financial data, PII), conditions/actions (block sharing, notify), and deploying in audit-only mode.

Here is how to build it in March 2026. The foundation remains similar, but the scoping mechanisms and AI integrations have drastically improved.

1. Navigate to the Unified Portal: Open the Microsoft Purview portal. Log in with an account holding the DLP Compliance Management or Information Protection Admin role.   
2. Access the DLP Module: On the left-hand navigation pane, select Data loss prevention, then choose Policies. This is your centralized policy store for all workloads.   
3. Initiate Policy Creation: Click + Create policy. You can select a predefined template (e.g., U.S. Financial Data) or choose Custom to build from scratch. For exact parity with the session, choose Custom.   
4. Define Administrative Scoping: You will be prompted to define Admin units. If you are an unrestricted admin, accept the default Full directory. Otherwise, assign the policy strictly to specific departmental administrative units to enforce least-privilege access.   
5. Select M365 Locations: Toggle the status to On for SharePoint sites and Teams chat and channel messages. In 2026, Teams policies automatically extend protection to 1:1 and multi-party chats by default.   
6. Apply Adaptive Scopes: Instead of manually selecting SharePoint sites, utilize Adaptive Scopes (a heavily featured 2026 update). This dynamic capability evaluates site properties and automatically targets locations as they evolve. This entirely bypasses the legacy 100-site static limit that plagued earlier deployments.   
7. Configure Advanced Rules: Select Create or customize advanced DLP rules. Click Create rule to open the logic builder.   
8. Set Conditions: Click + Add condition. Select Content contains. Choose your desired Sensitive Information Types (SITs). Microsoft now includes Named Entity SITs that use context-aware classification rather than simple regex pattern matching.   
9. Set Actions for Teams and SharePoint: Click + Add an action. To prevent oversharing, select Restrict access or encrypt the content in Microsoft 365 locations. Set the parameter to Block only people outside your organization.   
10. Configure User Notifications: Scroll down to the User notifications section. Toggle the switch to On. Select Notify users in Office 365 service with a policy tip. Policy tips balance enforcement with user education, preventing contextless disruption to their productivity.   
11. Deploy in Simulation Mode: On the Policy mode page, select Run the policy in simulation mode (this is the 2026 nomenclature for audit-only mode). Check the box to Show policy tips while in simulation mode.   

Once saved, the policy syncs to the central store and propagates to SharePoint and Teams. You no longer need to wait 24 hours for full propagation; modern sync times are vastly accelerated. When a user attempts to share a document containing the defined SITs in a Teams shared channel, the policy evaluates the content within seconds. If the sharing violates the rule, the message is blocked or the file is locked, depending on your enforcement mode.   

The most significant 2026 advancement in this scenario is how you handle the resulting alerts. You no longer manually sift through the DLP alert dashboard. The DLP Triage Agent, powered by Security Copilot, automatically prioritizes these alerts. It evaluates content risk based on SITs and labels, synthesizing complex user behavioral patterns into a clear risk narrative.   

For organizations using infrastructure-as-code, you can deploy this via the Security & Compliance PowerShell module. A modern JSON configuration for the rule logic looks like this:

JSON

{
  "Name": "Block External Financial Sharing - Teams & SP",
  "Workload": "SharePoint, Teams",
  "ContentContainsSensitiveInformation":,
  "ExceptIfRecipientDomainIs": ["trustedpartner.com"],
  "NotifyAllowOverride": "WithoutJustification",
  "State": "SimulationMode"
}

(Refer to the official (https://learn.microsoft.com/en-us/purview/dlp-policy-reference) for comprehensive parameter documentation.)   

Scenario 2: Exchange Online Extension

The session showed you extending and applying the same DLP policy to Exchange Online. This ensured email protection operated seamlessly alongside Teams and SharePoint rules.

Here is how to build this in March 2026, utilizing dynamic risk profiling to make your email policies much smarter.

1. Edit the Existing Policy: In the Microsoft Purview portal, navigate back to Data loss prevention > Policies. Select the policy you just created for Teams/SharePoint and click the Edit policy (pencil) icon.   
2. Add the Exchange Location: Navigate to the locations page. Toggle Exchange email to the On position.   
3. Refine the Scope: You can apply the policy to all users, or explicitly include/exclude specific distribution groups. In 2026, you can also use Administrative Units to scope email policies to specific geographic regions or departments.   
4. Configure Exchange-Specific Conditions: Proceed to the advanced rules section. Exchange offers unique conditions unavailable to Teams. You can add the condition Content is not labeled (ContentIsNotLabeled) to target unclassified emails. Alternatively, use Subject or Body matches pattern for highly specific regex string detection within the email body.   
5. Configure Exchange-Specific Actions: Ensure the action remains set to Restrict access or encrypt the content in Microsoft 365 locations. For Exchange, this translates to blocking the email from routing, redirecting it to a compliance officer, or applying Office 365 Message Encryption (OME).   
6. Configure Overrides: Navigate to the user notification section. For Exchange online, you configure overrides here. Select Require a business justification to override. This forces users to document why they are bypassing a warning, providing a vital audit trail.   

The most critical upgrade for Exchange DLP in 2026 is Adaptive Protection. This feature integrates Microsoft Purview Insider Risk Management (IRM) directly into your DLP policies. Instead of treating all users equally, Adaptive Protection dynamically identifies risky behaviors.   

To enable this, add a new condition to your rule: Insider risk level for Adaptive Protection is. You can set the rule to trigger only if the sender is currently categorized as an "Elevated" risk user.   

If a normal user sends an email with an SSN, they might just get a policy tip warning. However, if a user who recently resigned and has been downloading gigabytes of data attempts to send that same email, Adaptive Protection instantly elevates the enforcement. The email is hard-blocked without override options. This provides targeted protection without disrupting the broader organization.   

Furthermore, 2026 introduces Network Data Security integrations for email. This allows Purview to monitor attachments shared with unmanaged cloud email providers (like personal Gmail accounts) via web browsers. This is managed through the Edge for Business Copilot Mode, which honors existing Purview protections and prevents summarization or exfiltration of sensitive email content.   

Scenario 3: Endpoints, On-Premises, and Power BI

The session showed you configuring DLP extensions to endpoints/devices, on-premises repositories, and Power BI datasets.

Here is how to build this expansive architecture today. Microsoft has largely deprecated older agent requirements, moving toward native OS integrations and cloud-native hooks.

A. Endpoint DLP (Windows & macOS)

Endpoint DLP natively monitors Windows 10/11 and the three most recent macOS versions without requiring separate, bulky DLP agents. Integration is tied directly to Microsoft Defender for Endpoint.   

1. Verify Device Onboarding: Devices onboarded to Microsoft Defender are automatically visible to Purview. Navigate to Settings > Device onboarding > Devices to verify that the configuration and policy sync status is listed as "Updated".   
2. Configure Global Endpoint Settings: Before editing your policy, go to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings. These global settings dictate behavior across all endpoint policies.   
3. Set Browser and Domain Restrictions: Under Browser and domain restrictions to sensitive data, define your Sensitive service domain groups. Enter domains for unsanctioned personal cloud storage (e.g., Dropbox) or unmanaged AI tools, and set the global action to Block.   
4. Restrict Application Activities: Navigate to Restricted Apps and app groups. Define sanctioned applications. Set the rule to Block access by unallowed apps to prevent users from copying sensitive data into unauthorized local software.   
5. Update the DLP Policy: Return to your primary DLP policy (Data loss prevention > Policies). Add Devices as a location.   
6. Define Device Actions: Under your rule actions, select Audit or restrict activities on devices. You can granularly configure actions for printing, copying to USB, copying to a network share, and copying to clipboard.   

A major 2026 feature is Just-in-time (JIT) protection. When a user attempts an egress activity, JIT protection blocks the action locally while waiting for the cloud policy evaluation to complete. This ensures that large files aren't exfiltrated during the few seconds it takes the classification engine to run. Endpoint DLP in 2026 can also natively classify and restrict Azure RMS-protected documents when they are opened in local applications, ensuring persistent governance even on encrypted files.   

Furthermore, Microsoft has introduced Optical Character Recognition (OCR) support for endpoints. This prevents malicious insiders from bypassing text-based filters by taking screenshots of sensitive data and exfiltrating the images.   

B. On-Premises Repositories

The legacy Azure Information Protection (AIP) Scanner shown in the 2024 session has been fully rebranded and integrated. It is now the Microsoft Purview Information Protection scanner.   

1. Deploy the Scanner: Install the Information Protection client on a dedicated Windows Server. Ensure the server has a minimum SQL Server 2016 backend for the configuration database.   
2. Create a Content Scan Job: In the Microsoft Purview portal, navigate to Information protection scanner > Content scan jobs. Click Add.   
3. Configure the Job: Set the schedule. To use DLP, toggle Enable DLP rules to On. Set the Info types to be discovered to Policy only to optimize performance.   
4. Add Repositories: Specify the exact UNC network share paths or legacy SharePoint Server document libraries you wish to monitor.   
5. Update the DLP Policy: In your master DLP policy, toggle On-premises repositories as a location. Assign it to the configured file paths. Ensure the policy mode is set to Enforce to actively block actions on the file share, rather than just discovering them.   

Once running, the scanner crawls the file shares. The results and rule matches are available directly in the Microsoft 365 Audit log, accessible via the Purview portal or PowerShell (Search-UnifiedAuditLog).   

C. Fabric and Power BI Datasets

DLP now natively covers the expanded Microsoft Fabric ecosystem. This includes Power BI, KQL databases, Fabric Warehouses, and Mirrored databases.   

1. Create a Custom Policy: Pre-configured templates cannot be used for Fabric; you must build from scratch. Navigate to Data loss prevention > Policies and select + Create policy, choosing the Custom option.   
2. Target Workspaces: Select Fabric and Power BI workspaces in the locations list. Note that these policies only apply to workspaces hosted in Fabric or Premium capacities.   
3. Define Conditions: Set the condition to look for specific Sensitivity Labels or standard SITs.   
4. Configure Access Restrictions: Under actions, select Restrict access.   

When a policy match occurs, the platform automatically attaches a policy tip to the dataset and registers an alert. The "Restrict access" action immediately revokes access for all users except the data owner and explicitly allowed internal members. This is critical for preventing the oversharing of financial or health dashboards.   

Scenario 4: Best Practices - Pairing Sensitivity Labels with DLP

The session concluded with a best practices demo: pairing DLP policies with Microsoft Purview sensitivity labels for proactive file protection in Teams and SharePoint.

This remains the gold standard in 2026. Rather than relying solely on real-time content scanning (which can miss context), this method ensures that classification travels persistently with the file. DLP then acts as the ultimate enforcement gatekeeper based on that label.

Here is how to configure this pairing flawlessly today.

1. Create the Taxonomy: Navigate to Solutions > Information Protection > Sensitivity labels in the Purview portal. Click + Create and define your label.   
2. Configure Label Protections: Define what the label natively enforces. For a label named "Highly Confidential," configure it to apply a visual watermark and strictly limit document access permissions via encryption.   
3. Publish the Labels: Go to Label publishing policies and assign the labels to the appropriate Entra ID administrative units or groups.   
4. Pair with DLP: Open your master DLP policy (Data loss prevention > Policies). Under Conditions, click + Add condition and select Content contains.   
5. Select the Label: Choose Sensitivity label from the drop-down menu and select your "Highly Confidential" label.   
6. Define the Enforcement Gate: Set the DLP action to strictly block sharing.   

While the sensitivity label natively encrypts the file (protecting data at rest), the DLP policy monitors the activity. If a user attempts to upload that "Highly Confidential" file to an unsanctioned web browser or share it in a Teams channel with external guests, the DLP policy intercepts and blocks the transit.   

Best Practice: Microsoft recommends keeping your taxonomy to a maximum of five top-level parent labels. Providing users with too many options causes confusion and drastically lowers adoption rates.   

The most urgent reason to pair labels with DLP in 2026 is AI Governance. Generative AI introduces massive data leakage risks if your environment isn't properly configured.

To secure your AI rollouts, utilize the Microsoft 365 Copilot (preview) location within your DLP policy. By setting your condition to a specific sensitivity label (e.g., "Confidential | AI-Restricted"), you explicitly block Microsoft 365 Copilot from parsing, ingesting, or summarizing that specific intellectual property.   

Furthermore, you can protect the prompts themselves. The new DLP for Microsoft 365 Copilot web search control allows you to selectively block user prompts that contain Sensitive Information Types (SITs) from being sent to external web search. This prevents users from inadvertently pasting proprietary code or financial data into a Copilot prompt that queries the public internet.   

Licensing Quick Reference

Microsoft's licensing structure for compliance features operates on a per-user model. The naming conventions and bundled features evolved significantly heading into 2026. The "E5 Compliance" add-on is now officially rebranded as the Microsoft Purview Suite.   

Below is a simplified breakdown of the required tiers to implement the specific strategies outlined in this guide.

If you are operating in a Small or Medium Business (SMB) environment, Microsoft 365 Business Premium is no longer an eligible prerequisite for the standalone enterprise Purview Suite as of late 2025. Instead, Microsoft introduced the Purview Suite for Business Premium add-on. This provides SMBs access to enterprise-grade Endpoint DLP, Premium Audit, and Insider Risk Management tailored for sub-300 user environments.   

Finally, be aware that advanced functionalities regarding non-Microsoft 365 data sources, third-party network SASE integrations, and broader Data Security Posture Management (DSPM) may utilize Azure-based Pay-As-You-Go consumption billing. This consumption model builds on top of your per-user E5 licensing, charging based on the specific units of data processed outside the core Microsoft 365 boundary.