How DLP works between the Security & Compliance Center and Exchange Admin Center

In Office 365, you can create a data loss prevention (DLP) policy in two different admin centers:

  • In the Security & Compliance Center, you can create a single DLP policy to help protect content in SharePoint, OneDrive, and Exchange. When possible, we recommend that you create a DLP policy here. For more information, see DLP in the Security & Compliance Center.

  • In the Exchange Admin Center, you can create a DLP policy to help protect content only in Exchange. This policy can use Exchange transport rules, so it has more options specific to handling email. For more information, see DLP in the Exchange Admin Center.

DLP polices created in these admin centers work side by side - this topic explains how.

DLP pages in Security and Compliance Center and Exchange Admin Center

How DLP in the Security & Compliance Center works with DLP and transport rules in the Exchange Admin Center

After you create a DLP policy in the Security & Compliance Center, the policy is deployed to all of the locations included in the policy. If the policy includes Exchange Online, the policy’s synced there and enforced in exactly the same way as a DLP policy created in the Exchange admin center.

If you’ve created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the Security & Compliance Center. But note that rules created in the Exchange admin center take precedence. All Exchange transport rules are processed first, and then the DLP rules from the Security & Compliance Center are processed.

This means that:

  • Messages that are blocked by Exchange transport rules won’t get scanned by DLP rules created in the Security & Compliance Center.

  • If an Exchange transport rule modifies a message in a way that causes it to match a DLP policy in the Security & Compliance Center – such as adding external users – then the DLP rules will detect this and enforce the policy as needed.

Also note that Exchange transport rules that use the “stop processing” action don’t affect the processing of DLP rules in the Security & Compliance Center – they’ll still be processed.

Policy tips in the Security & Compliance Center vs. the Exchange Admin Center

Policy tips can work either with DLP policies and mail flow rules created in the Exchange Admin Center, or with DLP policies created in the Security & Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.

If you’ve configured policy tips in the Exchange Admin Center, any policy tips that you configure in the Security & Compliance Center won’t appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange Admin Center. This ensures that your current Exchange transport rules will continue to work until you choose to switch over to the Security & Compliance Center.

Note that while policy tips can draw only from a single location, email notifications are always sent, even if you're using DLP policies in both the Security & Compliance Center and the Exchange Admin Center.

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×