Audit DLP Matched Messages in Microsoft Teams

Implementing DLP policies in Microsoft Teams is just one step toward protecting sensitive information. However, users can potentially bypass these policies by overriding flagged messages, which may lead to data leaks and compliance risks. Regularly auditing messages flagged by DLP in Microsoft Teams is essential to ensure that overridden content does not reveal sensitive data. In this guide, we will explore how to effectively audit messages detected by DLP in Microsoft Teams.

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

View-Only Audit Logs Role

Most Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

Navigate to the Audit page in the Microsoft Purview Compliance portal.
Specify the date and time range as per your requirements.
From the Activities-friendly names drop-down, select the Matched DLP rule. Then, in the Workloads drop-down, choose Microsoft Teams, and click Search.
Once the search is complete, you can export the DLP matched Teams messages report.

Note: Audit logs in Microsoft Purview retain data for up to 180 days. However, tracking DLP-detected Teams messages in Microsoft Purview can be a time-consuming process with limited customization options.

Option 2 Using Microsoft Purview Compliance Portal

Log in to the Microsoft Purview compliance portal.
Under the Solutions section, click the Data loss prevention drop-down and select 'Activity explorer'.
In the Activity explorer window, choose the date range. Then, from the Activity drop-down, select DLPRuleMatch, and from the Location drop-down, select MicrosoftTeams.
Once the search is complete, you can export the DLP matched Teams messages report.

Note: DLP Activity explorer offers a graphical view and additional filtering options to make analysis easier. However, it only retains audit data from the past 30 days.

Option 3 Using Windows PowerShell Script

The Audit logs offers limited customization, and the DLP Activity explorer can retrieve data for only the past 30 days.
To address this, we developed a unified script to audit all DLP-detected messages in Microsoft Teams, providing a clear view with filter options based on severity and policy name for 180 days
Additionally, this script allows you to audit DLP matches across different workloads and export the results as a CSV file.
To get the Microsoft Teams DLP rule match report, run the script with the parameter WorkloadCategory set to 'Microsoft Teams', as shown below.
./AuditDLPRuleMatch.ps1 -WorkloadCategory Microsoft Teams

AuditDLPRuleMatch.ps1

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Log in to the AdminDroid Office 365 reporter.
Navigate to the Teams DLP Rule Matches report under Audit»Teams» DLP Actions.

This report offers comprehensive details about DLP-detected Teams messages, including information on the sender, the recipient, detected policy, sensitive information type, and more.

Use AdminDroid's charts to track users with the most attempts to share sensitive information in Microsoft Teams, helping identify those who may need additional oversight.

Explore a full range of reporting options

Effortlessly review all messages flagged by DLP in Microsoft Teams!

Obtain a detailed report of Teams messages detected by DLP policies with AdminDroid to ensure sensitive information is not shared with external users.

Witness the report in action using the

Live Demo

Important Tips

Enable highly sensitive protection in Microsoft Teams by combining sensitivity labels and Conditional Access to restrict guest access to confidential data in Teams.

Set up DLP policies in SharePoint Online to prevent sensitive content from being shared with external users, and keep confidential information secure, especially in industries like healthcare and finance.

When configuring a DLP policy for Teams, include SharePoint and OneDrive locations to prevent users from sharing sensitive information through files and folders in Teams messages.

Microsoft TeamsEnsure Compliance by Auditing DLP-detected Teams Messages in Microsoft 365

Showing 1 of 3

How to manage DLP-detected messages in Microsoft Teams? How to edit default Data loss prevention policy on Microsoft Teams? How to create a DLP policy to block external sharing of sensitive info in Microsoft Teams messages?

How to manage DLP-detected messages in Microsoft Teams?

When sensitive messages are shared via Microsoft Teams, DLP policies automatically apply predefined rules to protect your valuable data. However, users may override these rules or report them as false positives. Regularly reviewing audit logs provides valuable insights to strengthen security measures and prevent the leakage of sensitive information.

Review and Validate the Incident

Analyze the audit logs to determine whether DLP-detected Teams messages contain sensitive information. This process helps you to identify any false positives flagged messages and allows for fine-tuning of the DLP rules.

Monitor All the Alerts Generated by DLP Policies

Alerts are crucial for identifying potential policy violations. By actively monitoring them, organizations can take proactive measures to protect sensitive information, refine DLP policies, and reduce false positives.

For an in-depth audit and investigation of DLP policy violations in Microsoft Teams, review the alerts generated in the Microsoft Defender portal.

Log in to the Microsoft Defender Portal.
Navigate to Alerts under Investigation & response»Incidents & alerts.
From the "Add Filter " dropdown, Add Service/detection sources and choose Microsoft Data Loss Prevention.

Here, you can review key details of the DLP policy violations, including the user involved, the specific policy, the type of sensitive information, event time, and more.

Actions on DLP-detected Messages

After reviewing the alerts, you can take actions if you identify any suspicious behaviour.
If you believe something is wrong with the user, you can take actions like confirming the user is compromised, suspending the user in Entra ID, requiring the user to sign in again, modifying the Entra ID account settings, and viewing related incidents. These steps help ensure the user’s account is secure and prevent further risks.

Additionally, you can manage, and tune alerts based on the audit to enhance their accuracy and gain better insights into threats facing your organization.

Seamlessly Monitor and Manage DLP Alerts with AdminDroid's Graphical Analytics

With AdminDroid's built-in charts, get a comprehensive overview of Data Loss Prevention alerts related to Microsoft Teams summarizing triggered alerts over a specified period. This includes daily summaries by daily alert counts, counts by policy name, and counts by category and policy type. You can also filter alerts based on severity.

It helps you to quickly identify trends and patterns in DLP violations, enabling timely responses to potential data breaches and ensuring compliance.

How to edit default Data loss prevention policy on Microsoft Teams?

Data Loss Prevention (DLP) policies are one of the most effective ways to detect and prevent sensitive information from leaking out of an organization. Microsoft enhances this by providing default DLP policies for Microsoft Teams.

Scope of default Teams DLP policy: The default DLP policy for Teams automatically tracks all credit card numbers shared within the organization. While it doesn't provide policy tips to end users, it generates an alert and sends a low-severity email notification to the designated admin. Therefore, it will be useful to edit the default DLP policy for Microsoft Teams to address specific needs.

Steps to edit the default DLP policy for Teams in Microsoft Purview portal

Log in to the Microsoft Purview compliance portal.
Under the Solutions section, select the Data loss prevention drop-down and click Policies.
To modify the default Data Loss Prevention policy for Teams, select the Default policy for Teams. Click 'Edit policy’, and update the policy rules to protect sensitive data such as Social Security numbers, GST numbers, medical records, and health insurance numbers. You can also add policy tips and apply additional restrictions for enhanced protection.

Note: Misconfigurations can lead to data leaks and may unintentionally block legitimate Teams messages, disrupting communication and lowering productivity. Therefore, it is essential to monitor changes made to the DLP policies and rules to prevent these issues. However, there is no dedicated way to audit changes in Microsoft 365.

Monitor every DLP policy and rule change effortlessly with AdminDroid!

AdminDroid's Data Loss Prevention Policies and Rules report helps to audit all DLP policies and rule-based changes to effectively identify and safeguard sensitive information within your organization.
It provides clear details on the operations performed, including which rule or policy was impacted, the status of the changes, user types involved, and more.

Handy hint: You can apply various filter options to quickly identify changes, such as New-DlpCompliancePolicy, Remove-DlpCompliancePolicy, Get-DlpComplianceRule, New-DlpComplianceRule, and more.

How to create a DLP policy to block external sharing of sensitive info in Microsoft Teams messages?

Since Microsoft Teams is a primary collaboration tool for organizations, implementing DLP policies to block the external sharing of sensitive information in Teams chats is essential. This helps ensure data security and prevents unintentional disclosure of confidential data.

The default DLP policy for Teams covers only sensitive information like credit card details, we need to create a custom policy tailored to our specific needs.

Follow the steps below to create a policy that blocks the sharing of IP addresses and password credentials with external users through Teams messages.

Log in to the Microsoft Purview Compliance portal.
In the 'Solutions' section, expand the Data loss prevention drop-down and select 'Policies'.
Click Create policy. In the categories, select 'Custom' and then click on 'Custom policy', followed by Next.
Name your DLP policy and provide a description, then click Next.
Choose the admin units you want to assign this policy then click next and select the location where the policy will be evaluated. Choose Teams chat and channel messages, then click Next.
In the "Define policy settings section", select Create or customize advanced DLP rules, and click Next.
In the ‘Customize advanced DLP rules ’section, click (+)create rule and name the rule.
In the Conditions, Add condition: Content contains select your 'sensitive info types', in this case, choose IP Address and General Password.
Add another condition: Content is shared from Microsoft 365 in the dropdown, select with people outside my organization.
In the Actions, (+) Add an action 'Restrict access or encrypt the content in Microsoft 365 locations' and choose Block only people outside your organization.
In the User notifications section, check the "customize the policy tip text" box and provide the reason to block the message.
In the Incident reports section, enable the toggle “On” to "Send an alert to admins when a rule match occurs" and select the people you want to receive alert notifications and 'Save; the rule.
To check the policy rules, run the policy in simulation mode before applying it.
After successful excecution, you can turn 'On' the policy.

When you attempt to share your IP address with external users through Teams messages, it will be blocked by our configured policy.

AdminDroid Microsoft Teams ReportingStrengthen the Protection of Sensitive Information in Teams Messages Through DLP Policy Reviews!

AdminDroid streamlines Microsoft Teams management and ensures compliance with detailed reports on DLP-detected messages, real-time alerts, and insights into DLP policy & rule changes.

A Quick Summary

Schedule Reports to Find DLP Matched Messages

AdminDroid's advanced scheduling automates DLP report generation for Microsoft Teams, sending them directly to your inbox at regular intervals for consistent monitoring.

Audit All DLP Actions in a Single Report

AdminDroid provides a unified report for all DLP actions, that allows easy filtering, analysis, and data downloads in multiple formats to support data security decisions and policy updates.

Track All Your Overridden DLP Messages in Teams

The Teams DLP rule undo displays details of policies overridden by users. Ensure that the data is non-sensitive and accompanied by appropriate justification.

Keep an Eye on External Users in Microsoft Teams

Monitor Teams external user report in M365 to identify and remove external users who don’t require access, preventing sensitive data sharing and ensuring DLP policy compliance.

Microsoft 365 ISO Compliance Management

Using AdminDroid's ISO compliance management reports, ensure compliance by monitoring DLP-detected messages in Microsoft Teams.

Get Instant Alerts on DLP-detected Teams Messages

AdminDroid provides a default alert template to notify you when any shared files in Teams or channel messages are detected by Microsoft Teams Data Loss Prevention policies.

In conclusion, AdminDroid Teams analytics and reporting provides detailed reports on Microsoft Teams activities, including channel creations, ownership changes, meeting details, message activities, and file sharing with external users. It also offers real-time alerts for DLP actions, ensuring effective and secure communication and collaboration.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps for Auditing Messages Detected by DLP Policies in Microsoft Teams

The following are the possible errors and troubleshooting hints while auditing DLP-detected messages in Microsoft Teams.

Error: Cannot Process argument transformation on parameter EndDate . Cannot convert value to type. Microsoft.Exchange.ExchangeSystem.ExDateTime. "String 24/9/2024" was not recognized as a valid Datetime.

This error occurs when you enter the date in the incorrect format while specifying the start date or end date in the Search-UnifiedAuditLog cmdlet.

Troubleshooting hint :Enter the date in the MM/DD/YYYY format while executing 'Search-UnifiedAuditlog' cmdlet in Exchange Online PowerShell.

Error: Connect-ExchangeOnline: The term ‘Connect-ExchangeOnline’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error will occur when you don’t have the ExchangeOnline module installed in the PowerShell environment.

Troubleshooting hint :Run the cmdlet below in administrator PowerShell to install the ExchangeOnlineManagement module.

Import-Module ExchangeOnlineManagement

Error: Client error - The argument is empty.

This error occurs during incorrect DLP policy configuration when an incorrect rule is set up.

Troubleshooting hint :Check the DLP rules settings to ensure all required arguments are provided and correctly formatted.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Audit Teams Messages Detected by DLP Rules in M365