Data Loss Prevention (DLP) policies in SharePoint Online help prevent the accidental sharing of sensitive information such as credit card numbers, Social Security numbers, financial records, and confidential business data.
Using PnP PowerShell, administrators can automate DLP policy creation, assignment, and enforcement to enhance security and compliance.
Key Benefits of DLP Policies:
✔ Prevent accidental data leaks
✔ Restrict access to sensitive information
✔ Monitor and log data sharing activities
✔ Comply with industry regulations (GDPR, HIPAA, etc.)
This guide walks through step-by-step implementation of DLP policies in SharePoint Online using PnP PowerShell.
Step 1: Install & Update PnP PowerShell
Ensure PnP PowerShell is installed and updated before proceeding:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
Connect to the SharePoint Admin Center with the required permissions:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
For app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: Retrieve Existing DLP Policies
To view available DLP policies, run:
Get-PnPDlpPolicy | Format-Table -AutoSize
✔ Displays Policy Name, Status, and Rules
Step 4: Create a New DLP Policy
Example: Create a DLP Policy for Financial Data Protection
New-PnPDlpPolicy -Name "Financial Data Protection" -Description "Prevents financial data from being shared externally" -Mode "Enforce" -Priority 1 -Workload "SharePoint" -Rule
✔ Prevents external sharing of financial data
Step 5: Apply a DLP Policy to SharePoint Sites
To apply a DLP policy to specific SharePoint sites:
$policyName = "Financial Data Protection"
$siteUrl = "https://yourtenant.sharepoint.com/sites/Finance"
Set-PnPDlpPolicy -Name $policyName -Site $siteUrl
✔ Ensures sensitive financial data is protected
Apply DLP Policy to Multiple SharePoint Sites in Bulk
$policyName = "Financial Data Protection"
$sites = @(
"https://yourtenant.sharepoint.com/sites/HR",
"https://yourtenant.sharepoint.com/sites/Legal",
"https://yourtenant.sharepoint.com/sites/Confidential"
)
foreach ($site in $sites) {
Set-PnPDlpPolicy -Name $policyName -Site $site
Write-Host "Applied DLP Policy to: $site"
}
✔ Automates policy enforcement across multiple sites
Step 6: Verify DLP Policy Assignment
To confirm if the DLP policy is correctly applied:
Get-PnPDlpPolicy | Select-Object Name, Workload, Status
✔ Ensures all sites have the correct policy
Step 7: Modify or Remove a DLP Policy
Modify an Existing DLP Policy
Set-PnPDlpPolicy -Name "Financial Data Protection" -Mode "AuditOnly"
✔ Changes policy mode from “Enforce” to “Audit Only”
Remove a DLP Policy from a Site
Remove-PnPDlpPolicy -Name "Financial Data Protection" -Site "https://yourtenant.sharepoint.com/sites/Finance"
✔ Deletes DLP policy assignment from the specified site
Delete a DLP Policy Completely
Remove-PnPDlpPolicy -Name "Financial Data Protection"
✔ Completely removes the policy from SharePoint Online
Step 8: Automate DLP Policy Enforcement for New Sites
To automatically apply a DLP policy to all newly created sites, schedule the following script in Azure Automation or Task Scheduler:
$policyName = "Financial Data Protection"
$sites = Get-PnPTenantSite | Where-Object { $_.SensitivityLabel -eq $null }
foreach ($site in $sites) {
Set-PnPDlpPolicy -Name $policyName -Site $site.Url
Write-Host "Applied DLP Policy to: $site.Url"
}
✔ Ensures all new sites are secured automatically