Domain 1
Workload coverage
Partial coverage is the most common pattern: Exchange-only DLP catches the email exfiltration but misses the SharePoint-link, OneDrive-sync and Teams-message scenarios. Full M365 coverage is the floor.
Free tool · 5 minutes · Microsoft Purview DLP
PURVIEW DLP —
POLICY GAP ANALYSER.
Most Australian mid-market tenants own Microsoft Purview DLP but only a fraction have policies in active use. Score your DLP coverage across SharePoint, OneDrive, Teams, Exchange and Endpoint, plus the operating discipline, in five minutes.
8 questions · 4 domains
Microsoft Purview DLP Policy Gap Analyser
Score your Microsoft Purview Data Loss Prevention coverage across SharePoint, OneDrive, Teams, Exchange and Endpoint, plus the operating discipline that keeps DLP useful over time. Most AU mid-market tenants own DLP but only a fraction use it.
Domain 1
Workload coverage
DLP policies in active enforcement across SharePoint, OneDrive, Teams chat, Teams files, Exchange Online and Endpoint DLP for Windows + macOS.
Which Microsoft 365 workloads have DLP policies in active enforcement?
Source: Microsoft Purview Data Loss Prevention workload scope.
Is Endpoint DLP deployed on managed devices?
Source: Microsoft Purview Endpoint DLP guidance.
Domain 2
Information types and labels
Use of out-of-the-box sensitive information types (Australian-specific: TFN, ABN, Medicare number, driver licence), custom info types, sensitivity label integration.
Are Australian-specific sensitive information types in active use?
Source: Microsoft Purview sensitive information types catalogue (AU-specific).
Are Purview sensitivity labels integrated with DLP policies?
Source: Microsoft Purview Information Protection + DLP integration.
Domain 3
Policy design and mode
Move from policy-tip mode to enforcement, exception handling, false-positive tuning, business-justified override workflow.
What mode are DLP policies running in?
Source: Microsoft Purview DLP policy modes.
How is false-positive tuning handled?
Source: Microsoft Purview DLP tuning best practice.
Domain 4
Operating discipline
DLP incident triage, named owner, response runbook, integration with Insider Risk Management, executive reporting cadence.
Is there a named owner for DLP incidents with a response runbook?
Source: Frontrow DLP operating discipline benchmark.
Is DLP reported into broader security operating rhythm?
Source: Frontrow DLP reporting benchmark.
This is an indicative self-assessment. It is not a substitute for a tenant-level DLP audit. For verified results Frontrow runs a Microsoft Purview DLP rollout review in-tenant.
What the check covers
Four domains. One DLP posture.
Domain 2
Information types and labels
Microsoft ships AU-specific sensitive information types. They work out of the box. Custom info types (internal project codenames, customer numbers, employee IDs) take more work but materially improve precision.
Domain 3
Policy design and mode
DLP policies that stay in policy-tip mode forever don't protect anything. The discipline is to start in policy-tip, tune for false positives over 4-6 weeks, then move to block-with-override, then to block-no-override for the highest-sensitivity content.
Domain 4
Operating discipline
DLP alerts that go to a queue with no triage are noise. Named owners, response runbook, monthly metrics review, and integration with Insider Risk Management are what convert DLP from feature to control.
Frequently asked questions
What Australian IT and security teams ask.
What is Microsoft Purview Data Loss Prevention?
Microsoft Purview DLP is the Microsoft 365 capability that detects and blocks sensitive content from leaving the tenant or moving to inappropriate locations. It runs across SharePoint, OneDrive, Teams, Exchange Online and Endpoint DLP on Windows and macOS. DLP catches content based on sensitive information types (credit cards, TFN, ABN, Medicare numbers, custom patterns), keyword dictionaries, or sensitivity labels.
What sensitive information types does Microsoft Purview detect for Australia?
Out of the box Microsoft ships AU-specific info types: Australia Tax File Number (TFN), Australia Business Number (ABN), Australia Medicare Account Number, Australia Driver's Licence Number, Australia Passport Number, and Australia Company Number (ACN). These work without configuration. Custom info types (internal project codenames, customer ID patterns, employee ID format) take more work but materially improve precision.
Where does DLP fit in the Microsoft licensing stack?
Basic DLP for Exchange, SharePoint, OneDrive, Teams is included in Microsoft 365 E3 / Office 365 E3 and Microsoft 365 Business Premium. Endpoint DLP requires Microsoft 365 E5 / Office 365 E5 / Microsoft 365 E5 Information Protection and Governance add-on, plus Microsoft Defender for Endpoint onboarding. The licensing reality is most AU mid-market tenants already own DLP — they just haven't deployed it.
What's the difference between DLP, Information Protection labels, and Insider Risk Management?
Three complementary controls. DLP detects and blocks specific content patterns moving inappropriately. Information Protection labels classify content for security treatment (encryption, watermarks, access). Insider Risk Management surfaces behavioural risk patterns (unusual downloads, departing-employee data movement). Mature AU mid-market deployments run all three with shared signal, not in isolation.
How does DLP intersect with the Australian Privacy Act?
Australian Privacy Principle 11 requires reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. DLP is one of the practical 'reasonable steps' in a Microsoft 365 environment. The OAIC's reasonable-steps guidance increasingly reads as expecting active DLP for tenants handling material personal information. The Notifiable Data Breach scheme makes the case stronger: DLP that's detected (and blocked) a breach attempt is materially different from DLP that detected nothing.
What's a realistic DLP rollout timeline?
The Frontrow benchmark across AU mid-market: 12 weeks to a mature initial deployment. Weeks 1-2 sensitivity labels published, info types selected. Weeks 3-4 Exchange DLP in policy-tip mode. Weeks 5-6 SharePoint and OneDrive DLP in policy-tip. Weeks 7-8 Teams DLP. Weeks 9-10 Endpoint DLP audit mode. Weeks 11-12 progressive enforcement starting with TFN exfiltration, then expanding. Ongoing tuning thereafter.
What is the Frontrow in-tenant DLP audit?
A direct review of Purview DLP policies, Microsoft sensitive info types in active use, alert volume and triage discipline, and the integration with sensitivity labels and Insider Risk Management. Output: gap report against the Frontrow DLP maturity rubric, prioritised rollout plan, sample policies and runbooks. Indicative pricing on request.
How is this self-assessment validated?
Every scoring threshold cites a primary source: Microsoft Learn for Purview DLP policies, sensitive information types and Endpoint DLP, Australian Privacy Principle 11 and OAIC reasonable steps guidance, plus the Frontrow AU mid-market DLP rollout benchmark. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).