Targets Exchange Online (EXO), SharePoint Online (SPO), OneDrive for Business (ODB), and Microsoft Teams. Uses two Sensitive Info Type (SIT) tiers by volume plus an IT-data secrets rule. All rules are monitor-only (no enforcement).
Scope
- Exchange Online
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
Tip: Tune Count Range and Confidence per SIT against your org's data. Start conservative — monitor-only mode means no user impact while you gather signal.
Monitor Only – Low Volume – SIT
Conditions
- Content is shared from Microsoft 365 with people outside my organization
- Content contains any of the configured Sensitive Info Types
Sensitive Info Types
| SIT | Count Range | Confidence |
|---|
| Credit Card Number | 1–5 | Low |
| U.S. / U.K. Passport Number | 1–5 | Medium |
| U.S. Bank Account Number | 1–5 | Medium |
| U.S. Driver's License Number | 1–5 | Medium |
| U.S. Individual Taxpayer Identification Number (ITIN) | 1–5 | Medium |
| U.S. Social Security Number (SSN) | 1–5 | High |
| ABA Routing Number | 1–5 | Medium |
Actions (Monitor-only)
- Log to Activity Explorer as Medium
- (No user-facing restriction in monitor-only mode)
Notes
- Monitor-only (no restriction): Use for signal gathering and tuning.
- Adjust boundaries (e.g., 1–5) to fit your org's baseline volume.
Monitor Only – High Volume – SIT
Conditions
- Content is shared from Microsoft 365 with people outside my organization
- Content contains any of the configured Sensitive Info Types
Sensitive Info Types
| SIT | Count Range | Confidence |
|---|
| Credit Card Number | 6+ | Low |
| U.S. / U.K. Passport Number | 6+ | Medium |
| U.S. Bank Account Number | 6+ | Medium |
| U.S. Driver's License Number | 6+ | Medium |
| U.S. Individual Taxpayer Identification Number (ITIN) | 6+ | Medium |
| U.S. Social Security Number (SSN) | 6+ | High |
| ABA Routing Number | 6+ | Medium |
Actions (Monitor-only)
- Log to Activity Explorer as High
- (No user-facing restriction in monitor-only mode)
Notes
- Higher volumes often correspond to bulk data movement. Keep monitor-only initially to understand patterns.
- Consider escalating to block/quarantine after tuning.
Monitor Only – IT Data
Conditions
- Content contains any of the configured IT/developer secret sensitive info types
- Content is shared from Microsoft 365 with people outside my organization
Sensitive Info Types
| SIT | Count Range | Confidence |
|---|
| Azure SQL Connection String | 1+ | High |
| SQL Server Connection String | 1+ | High |
| Client Secret / API Key | 1+ | High |
| General Symmetric Key | 1+ | High |
| X.509 Certificate Private Key | 1+ | High |
| Microsoft Entra User Credentials | 1+ | High |
| User Login Credentials | 1+ | High |
Actions (Monitor-only)
- Log to Activity Explorer as High
- (Optional) Send alert to Administrator (email and/or Activity Explorer)
- (No user-facing restriction in monitor-only mode)
Notes
- These are high-risk developer/IT secrets; alerting helps you identify org leak paths.
- After baselining, consider enforcement for this rule first.
Next Steps
After a 2–4 week baseline, use the signal from Activity Explorer to move into enforcement. Start with the Exchange Online Baseline DLP playbook — it applies escalating controls to EXO: encrypting outbound credit card data, blocking high-volume SSN exfiltration, and warning senders on low-volume SSN sharing. Keep the Low-Volume SIT rule in monitor across all workloads until you have clean signal to justify enforcement there.
