Managing Data Loss Protection (DLP) Alerts

Questions

  • What is Data Loss Protection (DLP) and why is Bowdoin using it?
  • What sensitive data does DLP detect and protect?
  • What applications or services does DLP work in?
  • What happens if I try to share sensitive data to people outside of Bowdoin?
  • How do I share documents safely or get help if what I'm sharing is blocked?

Environment

  • Bowdoin students, faculty, and staff using services in Microsoft 365:
    • Outlook (email)
    • OneDrive
    • Microsoft Teams/SharePoint
    • Microsoft 365 Copilot.
  • Data Loss Prevention services run automatically to prevent accidental sharing of sensitive, personal data outside Bowdoin.

Answers

What Data Loss Protection (DLP) does

  • DLP detects and protects sensitive data (Social Security Numbers (SSN), U.S./U.K. passports, U.S. driver’s licenses, bank and credit card numbers).
  • When content is shared externally, DLP may show a warning, encrypt email, block external access, or limit Copilot processing.
    • DLP policies do not apply to sharing within Bowdoin.
  • Overrides: You may see an option to proceed with a documented business justification. All overrides are logged and reviewed by IT Security.

What you’ll see

Email (Outlook): If an email message or attachment being sent to an external recipient appears to contain sensitive data, you may see a policy tip.

Email compose window with a red oval around a policy tip warning that restricted data in an attached CSV requires using an Override before sending.

  • Depending on the volume of sensitive data, the system may:
    • Automatically encrypt the message.
    • Block sending.
    • Allow you to “override” by providing a business justification.
  • When an email triggers a DLP policy, you will receive an email from "PostMaster@bowdoin.edu" informing you if the message was encrypted or wasn't delivered to all recipients.

OneDrive: If a file in OneDrive contains restricted data you will see a red "blocked" icon next to the file.

OneDrive My files list showing documents like pii_pci.docx; three rows display a red error/sync icon in the Modified column (circled).

  • If shared externally, the receiver will see an "Access Denied" message. 
  • You can override this block by opening the file and and clicking "More Options" in the Policy Tip. 

Excel window with a yellow policy tip banner; the 'More Options' link in the banner is circled in red.

Teams channels: If a file in a Teams channel contains restricted data you will see a red "blocked" icon next to the file.

Document list entry for an Excel file highlighted with tooltip reading: "Contains sensitive information. Some commands aren't available."

  • External Team members will not be able to see these blocked files.
  • You can override this block by opening the file and and clicking "More Options" in the Policy Tip. 

Yellow Policy Tip banner showing POLICY TIP: Policy Tip SPO-RestrictedSIT-BlockExt_Low_Vol me; 'More Options' link circled in red.

Teams chats: Messages shared with external participants that contain restricted data may be blocked from external access.  Clicking "What can I do?" in the Policy Tip may allow you to override and send the message.

Blocked message banner showing 'This message was blocked' and a circled 'What can I do?' link; below three chips display a name and two numbers.

Microsoft 365 Copilot and Copilot Chat: Content labeled or detected as “Restricted” may be limited or blocked from processing. You may receive a notice that certain content cannot be used. No override is available.

Share content safely

  • Remove sensitive data before sharing externally.
  • Store sensitive files in internal-only locations; use sensitivity labels if available.
  • Read policy tips—they explain what was found and safer options.
  • Never email restricted data. If you must share, use Teams or OneDrive.

What to do if you’re warned or blocked

  • Email: Remove/redact sensitive data. If an override appears and your department has approved use for this case, provide a clear business justification. Otherwise, use an approved secure alternative.
  • OneDrive/Teams: Redact or remove sensitive data and re-share; or restrict to internal users only.
  • Copilot: Rephrase to avoid sensitive content or use non-restricted files.

If you need to share but are prevented from doing so

  • Redact fields (e.g., show only last four digits where appropriate).
  • Check with your supervisor for approved secure methods.
  • Overrides (if offered) require a clear business reason and are audited by IT Security.

Additional Help

If you need further assistance, please contact the Bowdoin College Service Desk and do not share the sensitive data itself.

Print Article

Related Articles (4)

Add or Change Sensitivity Labels for Files and Teams in Microsoft 365
Bowdoin Microsoft 365 sensitivity labels classify and protect content by adding visual markings, restricting actions (open/edit/print/forward), and controlling privacy, external sharing, and device access across OneDrive, SharePoint, and Teams.
Override a block when Microsoft 365 flags sensitive information
The article explains how Bowdoin Microsoft 365 users can interpret DLP policy tips, decide if an override is appropriate, reduce sensitive content, and, when permitted, override blocks in Outlook (web/desktop), OneDrive, SharePoint, and Teams with a brief business justification. It also advises using safer sharing methods (restricted OneDrive/SharePoint links) and notes that overrides are logged for review, so they should be used only when necessary.
Remove Sensitive and Hidden Information from Microsoft 365 Documents and PDFs
Guidance covers safely redacting Microsoft 365 documents and PDFs by working on a copy, identifying sensitive data, removing hidden metadata with Office’s Inspect Document tools, and using true redaction tools like Adobe Acrobat Pro instead of drawing black boxes. It also advises redacting images, using flatten/print-to-PDF only as a last resort, verifying redaction by search and copy tests, and sharing only the final redacted copy to avoid exposing version history in cloud storage.