3.2.2 Ensure DLP policies are enabled for Microsoft Teams


The default Teams Data Loss Prevention (DLP) policy rule in Microsoft 365 is a preconfigured rule that is automatically applied to all Teams conversations and channels. The default rule helps prevent accidental sharing of sensitive information by detecting and blocking certain types of content that are deemed sensitive or inappropriate by the organization.

By default, the rule includes sensitive information types, such as credit card numbers and social security numbers, and applies to all users in the organization.


Enabling the default Teams DLP policy rule in Microsoft 365 helps protect an organization's sensitive information by preventing accidental sharing or leakage of that information in Teams conversations and channels.


End-users may be prevented from sharing certain types of content, which may require them to adjust their behavior or seek permission from administrators to share specific content. Administrators may receive requests from end-users for permission to share certain types of content or to modify the policy to better fit the needs of their teams.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To enable DLP policies:

Navigate to Microsoft Purview compliance portal https://compliance.microsoft.com.

Under Solutions select Data loss prevention then Policies.

Click Policies tab.

Check Default policy for Teams then click Edit policy.

The edit policy window will appear click Next

At the Choose locations to apply the policy page, turn the status toggle to On for Teams chat and channel messages location and then click Next.

On Customized advanced DLP rules page, ensure the Default Teams DLP policy rule Status is On and click Next.

On the Policy mode page, select the radial for Turn it on right away and click Next.

Review all the settings for the created policy on the Review your policy and create it page, and then click submit.

Once the policy has been successfully submitted click Done.

Default Value:

Enabled (On)

See Also


Item Details


References: 800-53|AU-11, 800-53|SI-12, CSCv7|13, CSCv7|14.7

Plugin: microsoft_azure

Control ID: 40cab5e8f247b9ae387e49b76c8d8415160cee30c556af6926493eee6f0390f3