Send notifications and show policy tips for DLP policies

You can use a data loss prevention (DLP) policy to identify, monitor, and protect sensitive information across Office 365. You want people in your organization who work with this sensitive information to stay compliant with your DLP policies, but you don’t want to block them unnecessarily from getting their work done. This is where email notifications and policy tips can help.

Message bar shows policy tip in Excel 2016

A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policy—for example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.

You can use email notifications and policy tips to increase awareness and help educate people about your organization’s policies. You can also give people the option to override the policy, so that they’re not blocked if they have a valid business need or if the policy is detecting a false positive.

In the Office 365 Security & Compliance Center, when you create a DLP policy, you can use the Send a notification action to:

  • Send an email notification to the people you choose that describes the issues and includes a link to the document.

  • Display a policy tip on each document that conflicts with the DLP policy on a OneDrive for Business site or SharePoint Online site.

  • Display a policy tip on the Message Bar and the Backstage view in an Excel 2016, PowerPoint 2016, and Word 2016 document that’s been stored on a OneDrive for Business site or SharePoint Online site that’s included in the DLP policy.

In addition, separately from the Security & Compliance Center, you can also create a DLP policy in the Exchange admin center, so that policy tips appear when composing messages in Outlook 2013 that ships in Office 365 ProPlus or Office Professional Plus or later, Outlook on the web, and Outlook on the web for Devices.

Add the send a notification action to a DLP policy

When you create a DLP policy, both email notifications and policy tips are part of the Send a notification action.

  1. Sign in to the Office 365 admin center.

  2. In the admin center > left navigation > Admin > Admin centers > Security & Compliance. You're now in the Office 365 Security & Compliance Center.

  3. In the Security & Compliance Center > left navigation > Security policies > Data loss prevention > New (+).

  4. In the list of DLP policy templates, select the template that protects the types of sensitive information that you need > Next.

  5. Choose the locations that you want the DLP policy to protect > Next.

  6. Choose New DLP Rule (+).

  7. In the New DLP Rule dialog box, choose Actions > Add actions > the down arrow > Send a notification.

    Actions list shows Send a notification

Options for configuring email notifications

For each rule in a DLP policy, you can:

  • Send the notification to the people you choose. These people can include the owner of the content, the person who last modified the content, the owner of the site where the content is stored, or a specific user.

  • Customize the text that’s included in the notification by using HTML or tokens. See the section below for more information.

Notes: 

  • Email notifications can be sent only to individual recipients—not groups or distribution lists.

  • Only new content will trigger an email notification. Editing existing content will trigger policy tips but not an email notification.

Email options in Send a notification action

Default email notification

Notifications have a Subject line that begins with “Notification” and includes the file name of the document that’s matched a DLP policy. Clicking the link in the message body takes you to the site where the document’s stored and opens the policy tip for the document, where you can resolve any issues (see the section below about policy tips).

Notification message

By default, notifications display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched.

If the DLP policy rule does this…

Then the default notification says this…

Sends a notification but doesn’t allow override

This item conflicts with a policy in your organization.

Blocks access, sends a notification, and allows override

This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked.

Blocks access and sends a notification

This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator.

Custom email notification

You can create a custom email notification instead of sending the default email notification to your end users or admins. The custom email notification supports HTML and has a 5,000-character limit. You can use HTML to include images, formatting, and other branding in the notification.

You can also use the following tokens to help customize the email notification. These tokens are variables that are replaced by specific information in the notification that’s sent.

Token

Description

%%AppliedActions%%

The actions applied to the content.

%%ContentURL%%

The URL of the document on the SharePoint Online site or OneDrive for Business site.

%%MatchedConditions%%

The conditions that were matched by the content. Use this token to inform people of possible issues with the content.

Notification message showing where tokens appear

Options for configuring policy tips

For each rule in a DLP policy, you can configure policy tips to:

  • Simply notify the person that the content conflicts with a DLP policy, so that they can take action to resolve the conflict. You can use the default text (see the tables below) or enter custom text about your organization’s specific policies.

  • Allow the person to override the DLP policy. Optionally, you can:

    • Require the person to enter a business justification for overriding the policy. This information is logged and you can view it in the DLP reports on the Reports page in the Security & Compliance Center.

    • Allow the person to report a false positive and override the DLP policy. This information is also logged for reporting, so that you can use false positives to fine tune your rules.

Policy tip options in Send a notification action

For example, you may have a DLP policy that detects personally identifiable information (PII), and this policy has three rules:

  1. First rule: If fewer than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Send a notification action displays a policy tip. For policy tips, no override options are necessary because this rule is simply notifying people and not blocking access.

  2. Second rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action allows people to override the actions in this rule by providing a business justification. Your organization’s business sometimes requires internal people to share PII data, and you don’t want your DLP policy to block this work.

  3. Third rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people outside the organization, the Block access to content action restricts the permissions for the file, and the Send a notification action does not allow people to override the actions in this rule because the information is shared externally. Under no circumstances should people in your organization be allowed to share PII data outside the organization.

Here are some fine points to understand about using a policy tip to override a rule:

  • The option to override is per rule, and it overrides all of the actions in the rule (except sending a notification, which can’t be overridden).

  • It’s possible for content to match several rules in a DLP policy, but only the policy tip from the most restrictive, highest-priority rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.

  • If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.

Policy tips on OneDrive for Business sites and SharePoint Online sites

When a document on a OneDrive for Business site or SharePoint Online site matches a rule in a DLP policy, and that rules uses policy tips, the policy tips display special icons on the document:

  1. If the rule sends a notification about the file, the warning icon appears.

  2. If the rule blocks access to the document, the blocked icon appears.

Document on site shows policy tip warning icon

Document on site shows policy tip blocked icon

To take action on a document, such as overriding the DLP policy or reporting a false positive, you can select the Open menu … for the item > View policy tip.

The policy tip lists the issues with the content, and if the policy tips are configured with these options, you can choose Resolve, and then Override the policy tip or Report a false positive.

Document on site shows link to view policy tip

Policy tip with option to override

DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously, so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips. There may be a similar delay from when you resolve or override a policy tip to when the icon on the document on the site goes away.

Default text for policy tips on sites

By default, policy tips display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched.

If the DLP policy rule does this…

Then the default policy tip says this…

Sends a notification but doesn’t allow override

This item conflicts with a policy in your organization.

Blocks access, sends a notification, and allows override

This item conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked.

Blocks access and sends a notification

This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator.

Custom text for policy tips on sites

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Policy tips in Excel 2016, PowerPoint 2016, and Word 2016

When people work with sensitive content in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016, policy tips can notify them in real time that the content conflicts with a DLP policy. This requires that:

  • The Office document is stored on a OneDrive for Business site orSharePoint Online site.

  • The site is included in a DLP policy that’s configured to use policy tips.

These Office 2016 desktop programs automatically sync DLP policies directly from Office 365, and then scan your documents to ensure that they don’t conflict with your DLP policies and display policy tips in real time.

Depending on how you configure the policy tips in the DLP policy, people can choose to simply ignore the policy tip, override the policy with or without a business justification, or report a false positive.

Policy tips appear on the Message Bar.

Message bar shows policy tip in Excel 2016

And policy tips also appear in the Backstage view (on the File tab).

Backstage shows policy tip in Excel 2016

If policy tips in the DLP policy are configured with these options, you can choose Resolve to Override a policy tip or Report a false positive.

Options on policy tip in Backstage in Excel 2016

In each of these Office 2016 desktop programs, people can choose to turn off policy tips. If turned off, policy tips that are simple notifications will not appear on the Message Bar or Backstage view (on the File tab). However, policy tips about blocking and overriding will still appear, and they will still receive the email notification. In addition, turning off policy tips does not exempt the document from any DLP policies that have been applied to it.

Default text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

By default, policy tips display text similar to the following on the Message Bar and Backstage view of an open document. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched.

If the DLP policy rule does this…

Then the default policy tip says this…

Sends a notification but doesn’t allow override

This file conflicts with a policy in your organization. Go to the File menu for more information.

Blocks access, sends a notification, and allows override

This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.

Blocks access and sends a notification

This file conflicts with a policy in your organization. If you don’t resolve this conflict, access to this file might be blocked. Go to the File menu for more information.

Custom text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016

You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.

Policy tips in Outlook, Outlook on the web, and OWA for Devices

To create a DLP policy that includes mailboxes, you need to go to the Exchange admin center. There you can configure DLP policies that present policy tips to people working with email.

For more information, see Policy tips in Exchange Online.

More information

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×