🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Teams

How to Audit Teams Messages Detected by DLP Rules in M365

Implementing DLP policies in Microsoft Teams is just one step toward protecting sensitive information. However, users can potentially bypass these policies by overriding flagged messages, which may lead to data leaks and compliance risks. Regularly auditing messages flagged by DLP in Microsoft Teams is essential to ensure that overridden content does not reveal sensitive data. In this guide, we will explore how to effectively audit messages detected by DLP in Microsoft Teams.

Option 1
Option 2
Option 3
Option 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
View-Only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Navigate to the Audit page in the Microsoft Purview Compliance portal.
  • Specify the date and time range as per your requirements.
  • From the Activities-friendly names drop-down, select the Matched DLP rule. Then, in the Workloads drop-down, choose Microsoft Teams, and click Search.
  • Once the search is complete, you can export the DLP matched Teams messages report.
Using Microsoft Purview Compliance Portal
  • Note: Audit logs in Microsoft Purview retain data for up to 180 days. However, tracking DLP-detected Teams messages in Microsoft Purview can be a time-consuming process with limited customization options.

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
View-Only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Purview compliance portal.
  • Under the Solutions section, click the Data loss prevention drop-down and select 'Activity explorer'.
  • In the Activity explorer window, choose the date range. Then, from the Activity drop-down, select DLPRuleMatch, and from the Location drop-down, select MicrosoftTeams.
  • Once the search is complete, you can export the DLP matched Teams messages report.
Using Microsoft Purview Compliance Portal
  • Note: DLP Activity explorer offers a graphical view and additional filtering options to make analysis easier. However, it only retains audit data from the past 30 days.

Using Windows PowerShell Script

Microsoft 365 Permission Required
View-Only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • The Audit logs offers limited customization, and the DLP Activity explorer can retrieve data for only the past 30 days.
  • To address this, we developed a unified script to audit all DLP-detected messages in Microsoft Teams, providing a clear view with filter options based on severity and policy name for 180 days
  • Additionally, this script allows you to audit DLP matches across different workloads and export the results as a CSV file.

  • To get the Microsoft Teams DLP rule match report, run the script with the parameter WorkloadCategory set to 'MicrosoftTeams', as shown below.

    ./AuditDLPRuleMatch.ps1 -WorkloadCategory MicrosoftTeams
Using Windows PowerShell Script
AuditDLPRuleMatch.ps1
AdminDroid Microsoft Teams Reporting

Strengthen the Protection of Sensitive Information in Teams Messages Through DLP Policy Reviews!

AdminDroid streamlines Microsoft Teams management and ensures compliance with detailed reports on DLP-detected messages, real-time alerts, and insights into DLP policy & rule changes.

Schedule Reports to Find DLP Matched Messages

AdminDroid's advanced scheduling automates DLP report generation for Microsoft Teams, sending them directly to your inbox at regular intervals for consistent monitoring.

Audit All DLP Actions in a Single Report

AdminDroid provides a unified report for all DLP actions, that allows easy filtering, analysis, and data downloads in multiple formats to support data security decisions and policy updates.

Track All Your Overridden DLP Messages in Teams

The Teams DLP rule undo displays details of policies overridden by users. Ensure that the data is non-sensitive and accompanied by appropriate justification.

Keep an Eye on External Users in Microsoft Teams

Monitor Teams external user report in M365 to identify and remove external users who don’t require access, preventing sensitive data sharing and ensuring DLP policy compliance.

Microsoft 365 ISO Compliance Management

Using AdminDroid's ISO compliance management reports, ensure compliance by monitoring DLP-detected messages in Microsoft Teams.

Get Instant Alerts on DLP-detected Teams Messages

AdminDroid provides a default alert template to notify you when any shared files in Teams or channel messages are detected by Microsoft Teams Data Loss Prevention policies.

In conclusion, AdminDroid Teams analytics and reporting provides detailed reports on Microsoft Teams activities, including channel creations, ownership changes, meeting details, message activities, and file sharing with external users. It also offers real-time alerts for DLP actions, ensuring effective and secure communication and collaboration.

Explore a full range of reporting options
Download Live Demo

Important Tips

Enable highly sensitive protection in Microsoft Teams by combining sensitivity labels and Conditional Access to restrict guest access to confidential data in Teams.

Set up DLP policies in SharePoint Online to prevent sensitive content from being shared with external users, and keep confidential information secure, especially in industries like healthcare and finance.

When configuring a DLP policy for Teams, include SharePoint and OneDrive locations to prevent users from sharing sensitive information through files and folders in Teams messages.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while auditing DLP-detected messages in Microsoft Teams.

Error Cannot Process argument transformation on parameter EndDate . Cannot convert value to type. Microsoft.Exchange.ExchangeSystem.ExDateTime. "String 24/9/2024" was not recognized as a valid Datetime.

This error occurs when you enter the date in the incorrect format while specifying the start date or end date in the Search-UnifiedAuditLog cmdlet.

Fix Enter the date in the MM/DD/YYYY format while executing 'Search-UnifiedAuditlog' cmdlet in Exchange Online PowerShell.

Error Connect-ExchangeOnline: The term ‘Connect-ExchangeOnline’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error will occur when you don’t have the ExchangeOnline module installed in the PowerShell environment.

Fix Run the cmdlet below in administrator PowerShell to install the ExchangeOnlineManagement module. 
Import-Module ExchangeOnlineManagement

Error Client error - The argument is empty.

This error occurs during incorrect DLP policy configuration when an incorrect rule is set up.

Fix Check the DLP rules settings to ensure all required arguments are provided and correctly formatted.
Microsoft Teams

Frequently Asked Questions

Ensure Compliance by Auditing DLP-detected Teams Messages in Microsoft 365

How to manage DLP-detected messages in Microsoft Teams?

How to manage DLP-detected messages in Microsoft Teams? +

When sensitive messages are shared via Microsoft Teams, DLP policies automatically apply predefined rules to protect your valuable data. However, users may override these rules or report them as false positives. Regularly reviewing audit logs provides valuable insights to strengthen security measures and prevent the leakage of sensitive information.

Review and Validate the Incident

Analyze the audit logs to determine whether DLP-detected Teams messages contain sensitive information. This process helps you to identify any false positives flagged messages and allows for fine-tuning of the DLP rules.

Monitor All the Alerts Generated by DLP Policies

Alerts are crucial for identifying potential policy violations. By actively monitoring them, organizations can take proactive measures to protect sensitive information, refine DLP policies, and reduce false positives.

For an in-depth audit and investigation of DLP policy violations in Microsoft Teams, review the alerts generated in the Microsoft Defender portal.

  • Log in to the Microsoft Defender Portal.
  • Navigate to Alerts under Investigation & response»Incidents & alerts.
  • From the "Add Filter " dropdown, Add Service/detection sources and choose Microsoft Data Loss Prevention.

Here, you can review key details of the DLP policy violations, including the user involved, the specific policy, the type of sensitive information, event time, and more.

Actions on DLP-detected Messages

  • After reviewing the alerts, you can take actions if you identify any suspicious behaviour.
  • If you believe something is wrong with the user, you can take actions like confirming the user is compromised, suspending the user in Entra ID, requiring the user to sign in again, modifying the Entra ID account settings, and viewing related incidents. These steps help ensure the user’s account is secure and prevent further risks.
dlp-alerts-review

Additionally, you can manage, and tune alerts based on the audit to enhance their accuracy and gain better insights into threats facing your organization.

Seamlessly Monitor and Manage DLP Alerts with AdminDroid's Graphical Analytics

With AdminDroid's built-in charts, get a comprehensive overview of Data Loss Prevention alerts related to Microsoft Teams summarizing triggered alerts over a specified period. This includes daily summaries by daily alert counts, counts by policy name, and counts by category and policy type. You can also filter alerts based on severity.

dlp-alerts-graphical-view

It helps you to quickly identify trends and patterns in DLP violations, enabling timely responses to potential data breaches and ensuring compliance.

How to edit default Data loss prevention policy on Microsoft Teams?

How to edit default Data loss prevention policy on Microsoft Teams? +

Data Loss Prevention (DLP) policies are one of the most effective ways to detect and prevent sensitive information from leaking out of an organization. Microsoft enhances this by providing default DLP policies for Microsoft Teams.

Scope of default Teams DLP policy: The default DLP policy for Teams automatically tracks all credit card numbers shared within the organization. While it doesn't provide policy tips to end users, it generates an alert and sends a low-severity email notification to the designated admin. Therefore, it will be useful to edit the default DLP policy for Microsoft Teams to address specific needs.

Steps to edit the default DLP policy for Teams in Microsoft Purview portal

  • Log in to the Microsoft Purview compliance portal.
  • Under the Solutions section, select the Data loss prevention drop-down and click Policies.
  • To modify the default Data Loss Prevention policy for Teams, select the Default policy for Teams. Click 'Edit policy’, and update the policy rules to protect sensitive data such as Social Security numbers, GST numbers, medical records, and health insurance numbers. You can also add policy tips and apply additional restrictions for enhanced protection.
default-dlp-policy-teams

Note: Misconfigurations can lead to data leaks and may unintentionally block legitimate Teams messages, disrupting communication and lowering productivity. Therefore, it is essential to monitor changes made to the DLP policies and rules to prevent these issues. However, there is no dedicated way to audit changes in Microsoft 365.

Monitor every DLP policy and rule change effortlessly with AdminDroid!

  • AdminDroid's Data Loss Prevention Policies and Rules report helps to audit all DLP policies and rule-based changes to effectively identify and safeguard sensitive information within your organization.
  • It provides clear details on the operations performed, including which rule or policy was impacted, the status of the changes, user types involved, and more.
dlp-policy-rule-changes-report

Handy hint: You can apply various filter options to quickly identify changes, such as New-DlpCompliancePolicy, Remove-DlpCompliancePolicy, Get-DlpComplianceRule, New-DlpComplianceRule, and more.

How to create a DLP policy to block external sharing of sensitive info in Microsoft Teams messages?

How to create a DLP policy to block external sharing of sensitive info in Microsoft Teams messages? +

Since Microsoft Teams is a primary collaboration tool for organizations, implementing DLP policies to block the external sharing of sensitive information in Teams chats is essential. This helps ensure data security and prevents unintentional disclosure of confidential data.

The default DLP policy for Teams covers only sensitive information like credit card details, we need to create a custom policy tailored to our specific needs.

Follow the steps below to create a policy that blocks the sharing of IP addresses and password credentials with external users through Teams messages.

  • Log in to the Microsoft Purview Compliance portal.
  • In the 'Solutions' section, expand the Data loss prevention drop-down and select 'Policies'.
  • Click Create policy. In the categories, select 'Custom' and then click on 'Custom policy', followed by Next.
  • Name your DLP policy and provide a description, then click Next.
  • Choose the admin units you want to assign this policy then click next and select the location where the policy will be evaluated. Choose Teams chat and channel messages, then click Next.
  • In the "Define policy settings section", select Create or customize advanced DLP rules, and click Next.
  • In the ‘Customize advanced DLP rules ’section, click (+)create rule and name the rule.
  • In the Conditions, Add condition: Content contains select your 'sensitive info types', in this case, choose IP Address and General Password.
  • Add another condition: Content is shared from Microsoft 365 in the dropdown, select with people outside my organization.
  • In the Actions, (+) Add an action 'Restrict access or encrypt the content in Microsoft 365 locations' and choose Block only people outside your organization.
  • In the User notifications section, check the "customize the policy tip text" box and provide the reason to block the message.
  • In the Incident reports section, enable the toggle “On” to "Send an alert to admins when a rule match occurs" and select the people you want to receive alert notifications and 'Save; the rule.
  • To check the policy rules, run the policy in simulation mode before applying it.
  • After successful excecution, you can turn 'On' the policy.

When you attempt to share your IP address with external users through Teams messages, it will be blocked by our configured policy.

teams-blocked-message
+

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Teams
How to Audit Teams Messages Detected by DLP Rules in M365
Microsoft Teams Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo