DLP Policy Planner
Plan Data Loss Prevention policies by classifying connectors, assessing risk, and exporting recommendations.
Start from a template
CRITICAL
29
Business
28
Non-Business
0
Blocked
Business
29 connectors
Non-Business
28 connectors
Blocked
0 connectors
Drag connectors here
Best Practices
Safeguard default environment with restrictive DLP
The default environment is accessible to all users — apply your most restrictive policy here.
Source: Matthew Devaney / CISA SCuBA
Create a tenant-wide baseline DLP policy
Apply a shared policy spanning all environments except those with dedicated policies.
Source: Microsoft Learn
Use consistent DLP across DEV/TEST/PROD
Inconsistent policies cause 'works in dev, breaks in prod' failures.
Source: Matthew Devaney
Minimize policies per environment
Multiple overlapping policies create exponential group fragmentation (2^N groups for N policies).
Source: Microsoft Learn
Set new connector default to Non-Business or Blocked
New connectors added by Microsoft inherit the default group — choose a secure default.
Source: Microsoft Learn
Run impact analysis before changing policies
Changing DLP on environments with existing apps/flows can break them immediately.
Source: Microsoft Learn
Use compensating controls for non-blockable connectors
Non-blockable connectors (SharePoint, Outlook, Teams) need Conditional Access, Sensitivity Labels, and mail flow rules.
Source: Zenity Research
Use endpoint filtering for HTTP and SQL connectors
Instead of blocking HTTP entirely, allow only specific URLs. Available for HTTP, SQL Server, Azure Blob, SMTP.
Source: Microsoft Learn
This tool runs entirely in your browser. No data is sent to any server.